/ / / _ // _//_ _// / / /_/ _/ / _/ / / // // /_____/__//___/ /_/ /___/ ______ _ _ ___ / _ // // // _ / / _// _ // // // / / __// _ // _ / / _// __ // _/// // /__/ /_//_//_/_\_\/___/_/ /_//_/\_\/___/ / // // _// _ // _ // __/ / _ // _// __ // ////__ / /_//_//___/_/ /_//___//____/ Issue number 2, Part II of II _____________________________________ | \ | The low down on trunking systems \ | By: Bagel | | Contact: bagel@Phreaker.net | | / -------------------------------------/ IIIINNNNNNNNNN X INDEX D XEEEEEEEEEEEED I. Conventional vs. Trunked II. Types of Trunked Systems III. Trunking Frequencies IV. Trunking Equipment V. Disadvantages of Trunking VI. Conclusion ---------------------------------------------------------------------- I. Conventional vs. Trunked In the wide world of radio scanning, there are two essential types of radio systems: conventional and trunked. Conventional radio systems. In a conventional system, only one conversation can be taking place on one such frequency, or channel, irregardless as to how many that corporation, company, police department, or booze-bag owns. For example, lets take a police department. Let's say they own 5 channels, or frequencies. Only ONE conversation can be taking place on EACH channel at a time. This can be extremely inefficient. This is where trunked systems fall into place. A good example on how a trunked system works came from a manual I was reading is as follows: "At most banks, everyone stands in the same line. At the front of the line the customer goes to whatever window is empty. The next customer in line probably goes to a different window. Doesn't matter, the service is still the same." So, instead of all users trying to transmit messages via one VHF/UHF repeater, the users of one corporation/po-po department transmit on whatever frequency is open and currently not being used or is not as busy as the others. Therefore, all repeaters are being used at the same time, with the same amount of users on each. Still don't understand? One more example, if you don't understand it by now, you are a booze bag. Conventional System: A bank with only one teller window. Everyone has to wait their turn, and everyone gets what they need at a very slow and inefficient pace. Trunked System: A bank with five teller windows. Everyone gets served as each window opens up. Customers get in and out very quickly and efficiently. II. Types of Trunked Systems There are two main types of trunked systems. These are Motorola and G.E. Ericsson (EDACS). The Motorola trunked systems can be classified into three types: Motorola (I) - Motorola type I Motorola (II) - Motorola type II Motorola (IIi) - Motorola type IIi The more common and popular one out of the two is the Motorola system. However, there is another type of trunking system besides Motorola and Ericsson, and that is LTR. LTR equipment is available from a number of manufacturers, and has been used for many years. In LTR systems, there is no control channel, instead, a central-computer is used to control the channels/users. A new type of LTR system is being used by a small amount of public safety agencies under the name "MultiNet". III. Trunking Frequencies The majority of trunking systems operate on the infamous "800" band. However, this is just "one of those things". In other words, trunking systems can also be used on the UHF band such as 406-420MHz (yes, ic0n... 420!). But overall, you will find 9 out of the 10 trunked systems operating on the "800" band. Below I will list nationwide, United States Government trunked systems. Motorola Systems used by Federal Government Group 1: 406.350 407.150 407.950 408.750 409.550 Group 2: 406.750 407.550 408.350 409.150 409.950 Group 3: 406.550 407.350 408.150 408.950 409.750 Group 4: 406.950 407.750 408.550 409.350 410.150 Ericsson Trunked Systems (EDACS) 406.000 406.100 406.150 406.200 406.225 406.350 406.550 406.750 407.150 407.175 407.250 407.325 407.350 407.375 407.425 407.450 407.475 407.525 407.575 407.950 408.025 408.050 408.150 408.175 408.425 408.475 408.525 408.550 408.575 408.625 408.750 408.950 409.025 409.125 409.150 409.225 409.300 409.325 409.350 409.475 409.550 409.600 409.725 409.750 409.850 409.950 410.000 IV. Trunking Equipment Well, in case you haven't noticed, the average 90 dollar scanner is NOT trunking capable. Conventional scanners do not have trunking capabilities and/or do not cover the "800" band in their frequency range. So you have to spend the extra 50 bux and go and get a trunking-capable scanner. Personally, unless your a hermit and do not explore outside of your house, getting a portable trunking capable scanner, such as myself. I have the Radio Shack PRO-94 1,000 channel, Dual Trunking scanner. I got it cheap ($149.99) because of the time I bought it (a month before Christmas), when all the prices go down. Also, make sure you get a DUAL trunking scanner, so you can listen to both Motorola and Ericsson (EDACS) systems. You WILL be limited to ANALOG systems, trunking scanners cannot interpret digital trunking signals, but you will not really have to worry about that, thus digital trunking systems are even more expensive than analog systems. I recommend picking up "Police Call, 2002 Edition" for 20 bucks at Radio Shack, which has a huge list of trunking frequencies, including the ones listed above. V. Disadvantages of Trunking Like everything in life, trunking has its disadvantages also. The advantages certainly outweigh the disadvantages. One disadvantage of trunking is that it is expensive. It costs a lot more to purchase and operate an analog trunking system, including the radios that go along with users on that trunk, than a conventional system and radios. The other disadvantage is that scanners (us), need to save up our b00ze money to buy a trunking scanner.... BAH! One more disadvantage is that all users aren't really "trunking-compatible" if you know what I mean. In other words, not everyone understands trunking and how it works. VI. Conclusion Well, like every tutorial, I hope this has helped you understand the concept of trunking, how it works, what you need to use trunking, some frequencies and types of trunked systems, and some disadvantages of trunking. Until next time...... BaGeL, I'm out. ----------- Shoutoutz: | ----------- Shoutoutz to all my boyz in cDp, I lub you guys. Also to all muh b00ze-bagz in lph... w00t w00t. Another shout-out to the JC's... JUGGALO COMMANDOS Guy_SJS... clean that house! HardW1r3... we go waayyy back. Flow... wherever you may be. Bizurke... faaayyyyyyygoooooo SupaKilla... juggalo I got yah back ic0n... what time is it ic0n?? Your also 31337 as hell man. Xenocide... This thing came up and said, you've... you've got a virus. deepdish... you b00zzee bag. angel... "shuddup bitch"... hahaa, im jus kidden hun, I lub yah. Dark_Archon... did your grandfather die yet so you can get his scanner? eslut... nice work w/ the confs ;) Reaver423... sup d00d, happy belated birthday locutus126... you are a big booze bag d00d, get help. MaddJimBeam... muh MA phreaker GameZ... thanks for the help w/ the IRCd bro, and the baker is NOT home newbie... chillen in Argentina halo... you dissappeared but yah still cool gaijin... wassssssssaaaaaahhhhhhhhhhh If I missed ne1 sorry, I still love you... lol. ____________________________________________________ | \ | *****Standard/Cat3 color scheme conversion***** \ | By: Captain B | | Contact: ??? | | / ----------------------------------------------------/ Before I begin, unless you plan on installing Cat3 wire in your home, you need not read any further. The purpose of this file is to give you an understanding of the Cat 3 wiring color scheme, and how to connect it to standard wiring phone jacks. Before I do, let me mention that another difference between standard and Cat3 cabling is that Cat cabling has a greater bandwidth, and can push more data per second over it than standard wire. Also, Cat cabling is twisted pair wiring. Standard is non-twisted. Meaning, each wire in a pair (negative and postive) are twisted around each other, thereby making the pair self-shielding. In other words, Cat cabling phone wire is better. To further break it down which is the best among the 3 types of Cat cabling, here's a chart showing the data per sec each can transmit... Type -- Data per sec. Cat3 -- 10MegaBits/sec Cat5 --100MegaBits/sec Cat5e--1000MegaBits (or 1GigaBit) per sec Cat5/5e only seem to come in RJ45 4 pair (4 line)wiring, as far as I've seen. Cat3 I've seen in both 2 pair and 4 pair wiring at Home Depot. For residential homes, most people won't have more than 2 line wiring. (And most likely won't need more than 2 pair wiring). So, for Cat3 I'll only be mentioning the wire colors for 2 pair Cat3. The extra wires (if It's Cat3 4 pair wire) don't need to be hooked up. In fact, they can be cut, if you like. Installing phone wire of any type always requires a wire cutter and wire stripper. (Or buy a combo wire stripper/cutter from Rat Shack, or some other electronic store). I'm not going into about how to strip off wire insulation, or any of that here. You should know that stuff. Okay, so here's how the color conversion between standard and Cat3 wire goes.. Standard wire Cat 3 Tip- Green -----Line 1----- Orange Ring- Red -----Line 1----- White/orange stripe Tip- Black -----Line 2----- Blue Ring-Yellow ----Line 2----- White/blue stripe Tip= Postive (primary) Ring= Negative (secondary) Solid color wires= Positive Non-solid color (stripe) wires= Negative As a final note for anyone trying to install phone wire for the first time: Take your time, work slowly and carefully, and exercise patients. The small gauge (size) of phone wire of any type makes it pretty prone to easy breakage. Also, if you're only using your phone line for standard voice communications, It's not necessary to go with Cat 3,5, or 5e wire. Cat cabling is more ideally suited for data transmitions. Such as modems, fax machines, TTY machines, or other telecom equipment that transmits data over phone lines. But, you can use Cat cabling for regular voice communication, too. To get a few more tips on installing phone wire, pick up a book called "Installing Telephones" from Radio Shack or pick up some other telecom related book at other electronics stores. Also, your library may have some books about it, so go check. And, here's a related web site you may find useful: http://www.phonewiring.com/ Oh, and always remember to disconnect your phone line at the TNI (Telephone Network Interface) outside your house first to remove voltage while working. Or, you can short the pair (connect ring and tip terminals or wire together) to remove voltage. Or, at least take a phone off the hook to minimize voltage. Have phun. ____________________________ | \ | party box \ | By: deepdish | | Contact: brody@g33k.net | | / ----------------------------/ Okay, the party box. This box can be used in many ways. 1st you can make your own conf from this, if you have more then two phone lines. This is a very easy box. Materials: 2 or more phones (identical) 2 or more phone lines 1 roll of duck tape or solder iron and solder wire cutters First, you take the head set cords of both phones and you strip the wires about 2 inches from the base and strip the wires about an inch. Connect the one green (tip) wire from the phone to the other and so forth with the red (ring). There you go. you can do this with more then 2 fones if you have more then 2 lines. Other uses: You can make a beige box party box by just adding alligator clips to the phone and going to a TNI or a can box with more then one line. ___________________________________ | \ | A Phreaks Guide To 1337 Text \ | By: Reaver | | Contact: reaver_netpo@yahoo.com | | / -----------------------------------/ Gradually each hour, each day, each year more and more people join the ranks of the h/p scene. Be it for the pride, honor, or the respect of being able to learn about some of the best equipment ever invented by man they have joined. But I feel sorry them, for we as hackers and phreaks have our own language that we sometimes use. This is the language of 1337 73X7 (Leet Text). This language is easy to learn once you know the basics, but some don't even know the basics. So I have written this article to ensure that no one is left out in the dark in an in depth 1337 conversation. Here are the basics: 1: This number can be used for either I or L 3: E 4: A 5: S 6: G 7: T 8: G 0: O 12: R *Double numbers like these are rarely used. 13: B *Double numbers like these are rarely used. There are some others but for the most part these are the ones you should know. See I told you our 1337 14n6u463 w45 345y 70 134rn. Have a great day and hopefully next time someone speaks in 1337 you will understand them :). ___________________________________________ | \ | The New Motorola Bible \ | By: Agent5 | | Contact: crash_overide_9900@yahoo.com | | / -------------------------------------------/ Brought to you from the makers of sharp things. Well, I was sittin down wondering what the hell to do. So I updated the motorola bible. As I understand, the last update was in 1997 and a lot of changes have been made since then to motorola fones. While the old motorola bible still has a lot of info in it, it does not have what you need for the new shit out there. NOTE: on most of the newer fones you have to access test mode by entering... Fcn, 00**TESTMODE, Sto Motorola 8700 Turn on Clock To turn on the hidden clock on your phone follow the following procedure: In Setup menu turn ON "extended menu" in language selection change to "GREEK" or "EAAKA" exit menu press key labeled "i" (the info key) type *#25625# and finally turn OFF the phone next time you'll wake up the phone the clock will be on your display and while surfing menu you'll find the option to set its time. Show IMEI code If you need to know what's the IMEI code of your phone, simply press: * # 06 # you'll read it on display. RBS Info To activate RBS info menu simply press: [][][]113[]1[]OK ("[]" = the block you obtain pressing "*" for 3 seconds or more) this procedure seems not to work on all software version but it's the only one you can try from keypad. Some 8700 remain frozen after you switched on cell broadcast; the phone seems to function properly but it can't origin or receive any calls and turns off when you press any key. To view IMEI number *#06# Motorola Elite Test Mode To enter in Nam programming Mode, press: [arrow up] 000000000000 (12 times zero) [MR] now display shows the first step of NAM programming; simply enter data and move to the next step using: * (the same key of [left arrow]) Software version To see software version of your phone you need to short-circuit antenna ground with the two nearest pin together in the connector located under the phone. then: Power ON the phone and type: #19# Now display is showing software version of your phone. Serial Number To see the serial number of your phone you need to short-circuit antenna ground with the two nearest pin together in the connector located under the phone. then: Power ON the phone and type: #75# now display is showing the first pair of digits, then go ahead using * (the same key of [left arrow]) to show the second pair and so on. Pinout The pins are numbered 1 thru 10 from right to left ANT- (O) | | | | | | | | | | 1) Audio Ground 2) Ext b 3) T Data 4) C Data 5) R Data 6) Logic Ground 7) Audio Out - on/off 8) Audio In 9) Manual Test 10) Battery Feedback Motorola Flare Functionality enablement Following you'll find the procedure in order to get more menu's from your phone. But you don't just get more menu's, you'll get 99 more memories available, giving a total of 198 memories! These memories are stored in the phone, not in the SIM, which means you can store many more characters and numbers for each name. Before you begin, take note that: Make a note of your voicemail number! You may lose it during this! (don't worry, you can reprogram it later). You may need to use the master reset option to get outgoing DTMF going again after this. All the menu's seem to be dependant on others being available, so if you just activate one, it will say not available Lastly, p = a pause. i.e., what you get when you hold down the * button for 3 seconds. And then....let's go ! First of all, press ppp070p0p OK You have just turned off the code that disables further changes. This seems to have been set in some phones. Now enter: ppp000p1p OK ppp001p1p OK ppp002p1p OK all the way to ppp113p1p OK but AVOID ppp070p1p and ppp007p1p Don't worry, this only takes about 35 mins for all 111, but just don't lose count! Then go to phone setup menu, and select extended menu And finally .... You'd find some more menu items which wasn't there before and you got 99 more memory locations giving a total of 198 memories. Show IMEI code If you need to know what's the IMEI code of your phone, simply press: * # 06 # You'll read it on display. Pinout Numbered left to right, keypad up, battery down 1) Audio Ground 2) V 3) True data (TD) (input) 4) Downlink - Complimentary data (CD) (input) 5) Uplink - Return data (RD) (output) 6) GND 7) Audio Out - on/off 8) Audio In 9) Manual Test - ??? 10) Battery Feedback 11) Antenna connector To switch to the external antenna, a 2k2 resitor shout be placed in the coaxial antenna cable from shield to core. Motorola MicroTac Test Mode To enter in Nam programming Mode, you need to short-circuit the first and the third battery pin from the right, then: Power ON the phone Display will show "Tacs5", type in: 55 Now display shows the first step of NAM programming; simply enter data and move to the next step using: * (the same key of [left arrow]) Software version To enter in Nam programming Mode, you need to short-circuit the first and the third battery pin from the right, then: Power ON the phone Display will show "Tacs5", type in: 19 Now display is showing software version of your phone. Motorola StarTac Show IMEI code If you need to know what's the IMEI code of your phone, simply press: * # 06 # You'll read it on display. Pinout 1) Connected with 22pf to pin 3 2) RF out 3) Connected with 33 pf to pin 8, 33 pf to pin, 33 pf to pin 7 4) BAT_FDBAK 5) MAN_TEST connected with 10k to L275 6) RS232_TX - connected to MCU SPI bus 7) RS232_RX - connected to MCU SPI bus 8) AUDIO_IN 9) AUDIO_OUT 10) Connected with 33 pf to pin 13, 33 pf to pin 14 11) UPLINK -| 12) DOWNLINK -|- DSC bus connected to the BIC 13) DSC_EN_B -| 14) EXT_B 15) Gnd Motorola d460/2500/6200 (Flare)/7500/8200/8400/8700 To activate RBS: (pause means the * key held in until box appears) [pause] [pause] [pause] 1 1 3 [pause] 1 [pause] [ok] You now have to press the [MENU] and scroll to the 'Eng Field Options' function with the keys, and enable it. To de-activate RBS, [pause] [pause] [pause] 1 1 3 [pause] 0 [pause] [ok] This only works with some versions of software. Please report what works and doesn't for you. Reported working, by country: d460: IT 6200 Flare: UK (Orange), AU 7500: IT (model: F16 HW: 5.2 SW: 2.1) 8200: ES, AU, NL, BE 8400: IT, NL 8700: AU, IT, SG, DE, ES, ZA Uses of RBS: Distance From Base Station - Place a call, when it is answered, press [MENU] until 'Eng Field Option' is displayed, press [OK], select 'Active Cell', press [OK], press [MENU] until 'Time Adv xxx' appears, where xxx is a number. Multiply this number by 550, and the result is the distance from the RBS (Radio Base Station), in meters. Signal Quality - press [MENU] until 'Eng Field Option' is displayed, press [OK], select 'Active Cell', press [OK], press [MENU] until 'C1' appears. This is the signal quality. If it becomes negative for longer than 5 seconds, a new cell is selected. Options under Eng Field Options Eng Field Options Active Cell RxLev -55 Received powerlevel in dBm NCC 0 National Colour Code, used for identifying channel BCC 7 Broadcast Colour Code, also for identifying purposes MSTxPwr 35 Max allowed transmit power 35dBm about 3.2W C1 003 Is a calculated figure for the quality control signal which is constantly sent out from the RBS quality the signal returning from the phone has. If this value is negative for more than 5 sec then the system will make a cell switch. Time Adv xxx xxx is a number. Multiply this number by 550, and the result is the distance from the RBS (Radio Base Station), in meters. Adjacent Cells Adj Cell 1 Channel 0033 Channel Number RxLev -65 Received powerlevel in dBm BCCH Decode I think it means it is able to decode the channel information contained in the BCCH RxLevAM -104 Min allowed reception, compare with RxLev -65 and you get the C1 value which is 39 and reported back to base as measure of field strength. MTxPwr 35 Aain max allowed powerlevel C1 003 ?? NCC 0 National Colour Code BCC 6 Broadcast Colour Code System Parameters Combined Off ?? AcsClas 0000 Allows different priorities - this network doesn't support it. MCC 505 Mobile Country Code, 505 for Australia, 240 for Swedes etc MNC 01 Mobile Network Code, 01 for Mobilenet, 02 for Optus, 03 for Vodafone using MCC 505. MCCバ is often called Network Code LAC 08720 Location Area Code, shows which exchange your're in CellID 00473 Base Station Identity T3212 005 Time between periodic network updates (either hours between or time remaing until update, not sure) BS-PA-MFRM 4 ?? XZQTY 14.3 ?? Motorola Flip Pinout: ANT- (O) | | | | | | | | | | 10 9 8 7 6 5 4 3 2 1 Top of phone (screen) 1) Audio Ground 2) Ext b 3) T Data 4) C Data 5) R Data 6) Logic Ground 7) Audio Out - on/off 8) Audio In 9) Manual Test 10) Battery Feedback Motorola Analogue Phones MOTOROLA PROGRAMMING INSTRUCTIONS NOTES: Some units have dual NAM's. The ESN prefix is 130 decimal, 82 hex. Determine which access sequence to use: HAND HELD PORtable MODELS If the phone has a FCN button and no MENU button use sequence 1. If the phone has no FCN button use sequence 2. If the phone has a MENU button and a FCN button use sequence 4. INSTALLED MOBILE PHONES AND TRANSPORtable MODELS If the phone has no FCN button and no RCL button use sequence 3. If the phone has a FCN button use sequence 4. If the phone has a MEM button use sequence 5. If the phone has a RCL button and no FCN button use sequence 6. SEQUENCE# ACCESS CODE 1 FCN (SECURITY CODE TWICE) RCL 2 STO # (SECURITY CODE TWICE) RCL 3 CTL 0 (SECURITY CODE TWICE) * 4 FCN 0 (SECURITY CODE TWICE) RCL 5 FCN 0 (SECURITY CODE TWICE) MEM 6 CTL 0 (SECURITY CODE TWICE) RCL The default security code is 000000. The CTL (control) button is the single black button on the side of the handset. NAM programming: 1. Turn the power on. 2. Within ten seconds enter the access sequence as determined above. 3. The phone should now show "01" in the left of the display, this is the first programming entry step number. If it does not the security code is incorrect, or the programming lock-out counter has been exceeded. In either case you can still program the unit by following the steps under TEST MODE PROGRAMING below. 4. The * key is used to increment each step: Each time you press * the display will increment from the step number, displayed on the left, to the data stored in that step, displayed on the right. When the data is displayed make any necessary changes and press * to increment to the next step number. 5. The SND key is used to complete and exit programming when any STEP NUMBER is displayed. If you have enabled the second phone number bit in step 10 below then pressing SND will switch to NAM 2. Steps 01 thru 06, 09 and 10 will repeat for NAM 2, the step number will be followed by a "2" to indicate NAM two. 6. The CLR key will revert the display to the previously stored data. 7. The # key will abort programming at any time. PROGRAMING DATA: STEP# #OF DIGITS/RANGE DESCRIPTION 01 00000 - 32767 SYSTEM ID 02 3 DIGITS AREA CODE 03 7 DIGITS TEL NUMBER 04 2 DIGITS STATION CLASS MARK 05 2 DIGITS ACCESS OVERLOAD CLASS 06 2 DIGITS GROUP ID (10 IN USA) 07 6 DIGITS SECURITY CODE 08 3 DIGITS LOCK CODE 09 0333 OR 0334 INITIAL PAGING CHANNEL 10 6 DIGIT BINARY OPTION PROGRAMING (SEE NOTE 1) 11 3 DIGIT BINARY OPTION PROGRAMING (SEE NOTE 2) NOTES: Take care with Motorola's use of "0" and "1". Some options use "0" to enable, some use "1". 1. This is a 6 digit binary field used to select the following options: Digit 1: Internal handset speaker, 0 to enable. Digit 2: Local Use Mark, 0 or 1. Digit 3: MIN Mark, 0 or 1. Digit 4: Auto Recall, always set to 1 (enabled). Digit 5: Second phone number (not all phones), 1 to enable. Digit 6: Diversity (Two antennas, not all phones), 1 to enable. 2. This is a 3 digit binary field used to select the following options: Digit 1: Continuous DTMF, 1 to enable. Digit 2: Transportable Ringer/Speaker, 0=Transducer, 1=Handset. Digit 3: 8 hour time out in transportable mode, 0 to enable. TEST MODE ACCESS: INSTALLED MOBILE PHONES AND TRANSPORTALE MODELS To enter test mode on units with software version 85 and higher you must short pins 20 and 21 of the transceiver data connector. An RS232 break out box is useful for this, or construct a test mode adapter from standard Radio Shack parts. For MINI TR or Silver Mini Tac transceivers (smaller data connector) you can either short pins 9 and 14 or simply use a paper clip to short the hands free microphone connector. HAND HELD PORTABLE MODELS: There are two basic types of Motorola portable phones, the Micro-Tac series "Flip" phones, and the larger 8000 and Ultra Classic phones. Certain newer Motorola and Pioneer badged Micro-Tac phones do not have a "flip", but follow the same procedure as the Micro-Tac. 8000 & ULTRA CLASSIC SERIES: If you have an 8000 series phone determine the "type" before trying to enter test mode. On the back of the phone, or on the bottom in certain older models, locate the F09... number this is the series number. If the FOURTH digit of this number is a "D" you CAN NOT program the unit through test mode, a Motorola RTL4154/RTL4153 programmer is required to make any changes to this unit. Having determined that you do not have a "D" series phone the following procedure is used to access test mode: Remove the battery from the phone and locate the 12 contacts at the top near the antenna connector. These contacts are numbered 1 through 12 from top left through bottom right. Pin 6, top right, is the Manual Test Mode Pin. You must ground this pin while powering up the phone. Pin 7 (lower left) or the antenna connector should be used for ground. Follow one of these procedures to gain access to pin 6: 1. The top section of the battery that covers the contacts contains nothing but air. By careful measuring you can drill a small hole in the battery to gain access to pin 6, alternately simply cut the top off the battery with a hack saw. Having gained access use a paper clip to short pin six to the antenna connector ground while powering up the phone. 2. If you do not want to "destroy" a battery you can apply an external 7.5 volts to the and - connectors at the bottom of the phone, ground pin 6 while powering up the phone as above. 3. You can also try soldering or jamming a small jumper between pins 6 and 7 (top right to lower left), or between pin 6 and the antenna connector housing ground. Carefully replace the battery and power up the phone. Use caution with this method not to short out any other pin. 4. A cigarette lighter adapter, if you have one, also makes a great test mode adapter as it can be disassembled to give you easier access to pin 6. Many are pre marked, or even have holes in the right location. This is because they are often stamped from the same mold that the manufacturer uses for making hands free adapter kits and these kits require access to the phone's connectors. MICRO-TAC "FLIP" SERIES: This phone follows similar methods as outlined for the 8000 series above. Remove the battery and locate the three contacts at the bottom of the phone, the two outer contacts are raised and connect with the battery. The center contact is recessed, this is the Manual Test Mode connector. Now look at the battery contacts, the two outer ones supply power to the phone, the center contact is an "extra" ground. This ground needs to be shorted to the test mode connector on the phone. The easiest way to do this is to put a small piece of solder wick, wire, aluminum foil or any other conductive material into the recess on the phone. Having done this carefully replace the battery and turn on the power, if you have been successful the phone will wake up in test mode. TEST MODE PROGRAMING: Assuming you have completed one of the above steps correctly the phone will wake up in test mode when you turn the power on. When you first access test mode the phone's display will alternate between various status information that includes the received signal strength and channel number. The phone will operate normally in this mode. You can now access Service Mode by pressing the # key, the display will clear and a ' will appear. Use the following procedure to program the phone: 1. Enter 55# to access programming mode. 2. The * key advances to the next step. (NOTE that test mode programing does NOT have step numbers, each time you press the * key the phone will display the next data entry). 3. The CLR key will revert the display to the previously stored data. 4. The # key aborts programming at any time. 5. To complete programming you must scroll through ALL entries until a ' appears in the display. 6. Note that some entries contain more digits than can be displayed by the phone, in this case only the last part of the data can be seen. TEST MODE PROGRAMING DATA: STEP# #OF DIGITS/RANGE DESCRIPTION 01 00000 - 32767 SYSTEM ID 02 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 1 BELOW 03 10 DIGITS MIN (AREA CODE & TEL#) 04 2 DIGITS STATION CLASS MARK 05 2 DIGITS ACCESS OVERLOAD CLASS 06 2 DIGITS GROUP ID (10 IN USA) 07 6 DIGITS SECURITY CODE 08 3 DIGITS LOCK CODE 09 3 DIGITS SERVICE LEVEL (LEAVE AT 004) 10 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 2 BELOW 11 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 3 BELOW 12 0333 OR 0334 INITIAL PAGING CHANNEL 13 0333 "A" SYSTEM IPCH 14 0334 "B" SYSTEM IPCH 15 3 DIGIT NUMBER PAGING CHANNEL (021 IN USA) 16 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 4 BELOW Steps 01 through 06 and 12 will repeat for NAM 2 if the second phone number bit has been enabled in step 11. NOTES: Take care with Motorola's use of "0" and "1". Some options use "0" to enable, some use "1". These are eight digit binary fields used to select the following options: 1. (step 02 above, suggested entry is: 11101001 for "A" system, 10101001 2. for "B" sys) Digit 1: Local use mark, 0 or 1. Digit 2: Preferred system, 0 or 1. Digit 3: End to end (DTMF) dialing, 1 to enable. Digit 4: Not used, enter 0. Digit 5: Repertory (speed) dialing, 1 to enable. Digit 6: Auxiliary (horn) alert, 1 to enable. Digit 7: Hands free (VSP) auto mute, 1 to enable (mutes outgoing hands free audio until the MUTE key is pressed). Digit 8: Min mark, 0 or 1. 2. (step 10 above, suggested entry is: 00000100) Digits 1 - 4: Not used in USA, enter 0. Digit 5: Single system scan, 1 to enable (scan A or B system only, determined by bit 2 of step 02. Set to "0" to allow user the option). Digit 6: Super speed dial, 1 to enable (pressing N, or NN SND will dial the number stored in memory location NN). Digit 7: User selectable service level, 0 to enable (allows user to set long distance/memory access dialing restrictions). Digit 8: Lock function, 0 to enable (allows user to lock/un-lock the phone, if this is set to 1 the phone can not be locked). 3. (step 11 above, suggested entry is: 00000000) Digit 1: Handset programming, 0 to enable (allows access to programing mode without having to enter test mode). Digit 2: Second phone number (not all phones), 1 to enable. Digit 3: Call timer access, 0 to enable. Digit 4: Auto system busy redial, 0 to enable. Digit 5: Speaker disable, 1 to enable (use with select VSP units only, do not use with 2000 series mobiles). Digit 6: IMTS/Cellular, 1 to enable (rarely used). Digit 7: User selectable system registration, 0 to enable. Digit 8: Dual antennae (diversity), 1 to enable. 4. (step 16 above, suggested entry is: 0011010 for portable and 0011011 for mobile units) Digit 1: Not used, 0 only. Digit 2: Not used, 0 only Digit 3: Continuous DTMF, 1 to enable (software version 8735 and later) Digit 4: 8 hour time-out, 0 to enable (software version 8735 and later) Digit 5: Not used, 0 only. Digit 6: Failed page indicator, 0 to enable (phone beeps when an incoming call is detected but signal conditions prevent completion of the call). Digit 7: Portable scan, 0 for portable, 1 for mobile units. C-SCAN OPTION: Newer Motorola phones are equipped with a feature called C-Scan, this is an option along with the standard A/B system selections. C-Scan allows the phone to be programmed with up to five inhibited system ID's per NAM. This is designed to prevent the phone from roaming onto specified non-home systems and therefore reduce "accidental" roaming fees. 1. C-Scan can only be programmed from test mode, power phone up with the relevant test mode contact grounded (see above). 2. Press # to access test mode. 3. Press 18#, the phone will display "0 40000". 4. Enter the first inhibited system ID and press *. Continue to enter additional system ID's if required. After the 5th entry the phone will display "N2". Press * to continue and add system ID's for NAM 2 as required. 5. If an incorrect entry is made (outside the range of 00000-32767) the display will not advance, press CLR and re-enter. Use a setting of 40000 for any un-needed locations. 6. When the last entry has been made press * to store and press # to exit, turn off power. LOCK/UNLOCK PROCEDURES: Phones with "LOCK" buttons: Press lock for at least 1/2 a second. Phones with a "FCN" button: Press FCN 5, note that 5 has the letter's "J,K, and L" for lock. Phones with no FCN or LOCK button: Press Control 5, control is the black volume button on the side of the handset. SYSTEM SELECT PROCEDURES: Phones with a RCL button: Press RCL *, then * to select, STO to store. Phones with no RCL button: Press Control * then * to select, # to store. Options are: CSCAn: Preferred/Non preferred with system lockout. Std A/b, or Std b/A: Preferred/Non preferred. SCAn Ab, or SCAn bA: Non preferred/Preferred SCAn A: "A" ONLY SCAn b: "B" ONLY HOME: Home only (these are typical options, some phone's vary. C-Scan only available on newer models and does not appear unless programmed, see above GENERAL NOTES: HANDSETS: Most Motorola handsets are interchangeable, when a handset is used with a transceiver other than the one it was designed for the display will show "LOANER". Some features and buttons may not work, for instance if the original handset did not have a RCL or STO button, and the replacement does, you will have to use the control * or control # sequence to access memory and A/B system select procedures. MOTOROLA TEST MODE COMMANDS: 01# RESTART (POWER OFF THEN ON) 02# STATUS DISPLAY, ALTERNATES BETWEEN: ABC DEF where: ABC = Channel number DEF = Received sensitivity for that channel and: A B C D E F G where: A = SAT frequency (0=5970, 1=6000, 2=6030, 3=no channel lock) B = Carrier (0=off, 1=on) C = Signalling tone (0=off, 1=on) D = Power level (0 through 7) E = Channel mode (0=voice channel, 1=control channel) F = Receive audio mute (0=unmuted, 1=muted) G = Transmit audio mute (0=unmuted, 1=muted) Press * to hold display and # to end. 03# Reset call timers 04# Initialize Tranceiver to following settings: Carrier = OFF Receive Audio = MUTED Transmit Audio = MUTED Signaling Tone = OFF Call Timer RESET and peroiodic resetting ENABLED SAT = OFF DTMF & Audio Tones = OFF Audio Path = To SPEAKER 05# Turn Carrier ON 06# Turn Carrier OFF 07# Mute RECEIVE audio 08# Unmute RECEIVE audio 09# Mute TRANSMIT audio 10# Unmute TRANSMIT audio 11ABC# Load Synthesizer with ABC, where ABC=the channel number in decimal 12A# Set RF power level to A, where A=1 to 7 13# Power down phone 14# Transmit signaling tone 15# Stop transmit of signaling tone 16# Transmit a five word reverse voice channel message, all words will be: "FF00AA55CC33" 17# Transmit a two word reverse voice channel message, both words will be: "FF00AA55CC33" 18# Display contents of NAM one address at a time, press * to advance, press # to exit. (Two digit number to the left is the ADDRESS, to the right is the DATA) 19# Display software version 20# Receive control channel messages counting correctable and uncorrectable errors. When the command starts the number of the command will be displayed in the upper right hand corner of the display. Entering a # will terminate the test and display two three digit numbers. The first number is the number of correctable errors and the second is uncorrectable errors. 21# Receive voice channel messages counting correctable and uncorrectable errors. When the command starts the number of the command will be displayed in the upper right hand corner of the display. Entering a # will terminate the test and display two three digit numbers. The first number is the number of correctable errors and the second is uncorrectable errors. 22# Receive control channel messages counting word sync sequences. When the command starts the number of the command will be displayed in the upper right hand corner of the display. Entering a # will terminate the test and display the number of word sync sequences in the display. 23# Receive voice channel messages counting word sync sequences. When the command starts the number of the command will be displayed in the upper right hand corner of the display. Entering a # will terminate the test and display the number of word sync sequences in the display. 24# Turn SAT transmission ON 25# SAT OFF 27# Transmit continuous control channel data, all words are: "FF00AA55CC33". When the command starts the number of the command will be displayed in the upper right hand corner of the display. Press # to terminate the test. 28# Activate high tone (1150 Hz 55 Hz) 29# Deactivate high tone 30# Activate low tone (770 Hz 40 Hz) 31# Deactivate low tone 32# Initialize all non-volatile memory to zeros. Resets unit and makes it look "new". 33A# Activate DTMF tone where A = DTMF digit 0 through 9 34# Deactivate DTMF 35A# Send audio path to A where A = 0 for handsfree, 1 for speaker, 2 for alert, 3 for Handset 36ABC# Activate channel scan, ABC is scan speed in milliseconds. Tunes from channel 1 to 666. Press * to pause scan and display RSSI, if scan speed is 300 milliseconds or greater the RSSI is displayed with each channel, if scan is less than 300 milliseconds the RSSI is only displayed when you press * 37# not used 38# Display serial number in hex (ESN). Displayes the byte number in the upper right side of the display and the data to the left, press * to step through the bytes, press # to exit. 39# Receive one control channel word, when the word is received it will be displayed in hex. Command terminates when the word has been received or when # is pressed. 40# Receive one voice channel word, when the word is received it will be displayed in hex. Command terminates when the word has been received or when # is pressed. 41# (F19CTA models only) Enables the diversity antenna option on mobiles so equipped. 42# Disable diversity. 43# Disable diversity and force the mobile to use the TRANSMIT antenna. 44# Disable diversity and force the mobile to use the RECEIVE antenna. 45# Display the RSSI reading taken on the current channel. 46# Display the cumulative call timer. 47A# Set audio level to A where A = 0 lowest, A = 6 highest, or A = 7 muted. 48# Turn sidetone on 49# Sidetone off 50# Maintenance data is transmitted and test results displayed: PASS = Received data is correct, FAIL1 = No data received within 2 seconds, FAIL2 = Received data is incorrect. 51# Maintenance data is transmitted and looped back and test results displayed: PASS = Looped back data is correct, FAIL1 = No data looped back within 2 seconds, FAIL2 = Looped back data is incorrect. 52A# Set phase adjustment. A decimal number thet corresponds to phase shift compensation in 4.5 degree increments. Compensation added to the inherant phase shift of the tranceiver to acheive a total phase shift of 0 (zero) degrees. Do not enter any value other than from the following list: # entered, Degree of shift 0 0 59 121.5 86 243.0 1 4.5 60 126.0 87 247.5 2 9.0 61 130.5 112 252.0 3 13.5 62 135.0 113 256.5 4 18.0 63 139.5 114 261.0 5 22.5 40 144.0 115 265.5 6 27.0 41 148.5 116 270.0 7 31.5 42 153.0 117 274.5 16 36.0 43 157.5 118 279.0 17 40.5 44 162.0 119 283.5 18 45.0 45 166.5 120 288.0 19 49.5 46 171.0 121 292.5 20 54.0 47 175.5 122 297.0 21 58.5 64 180.0 123 301.5 22 63.0 65 184.5 124 306.0 23 67.5 66 189.0 125 310.5 48 72.0 67 193.5 126 315.0 49 76.5 68 198.0 127 319.5 50 81.0 69 202.5 104 324.0 51 85.5 70 207.0 105 328.5 52 90.0 71 211.5 106 333.0 53 94.5 80 216.0 107 337.5 54 99.0 81 220.5 108 342.0 55 103.5 82 225.0 109 346.5 56 108.0 83 229.5 110 351.0 57 112.5 84 234.0 111 355.5 58 117.0 85 238.5 53# Enable scrambler option, if equipped. 54# Disable scrambler option, if equipped. 55# Test Mode programming. 58# Compandor on. Audio compressor and expandor on. 59# Compandor off. Audio compressor and expandor off. 61# Serial number transfer, not all models. 62# Turn on audio ringer path. 63# Turn off audio ringer path. 70# Abbreviated field transmitter audio deviation command for tranceivers with FCC ID: ABZ89FT5668. 71# Abbreviated field power adjustment command for tranceivers with FCC ID: ABZ89FT5668. 72# Field audio phasing command. 73# Field power adjustment command. And now to the specifics....In this section I will list a few specific Motorola Phones and their codes, that are significant to us as Telecommunications Hobbiests. Motorola 6200 To activate RBS (Engineering Menus): [pause] [pause] [pause] 1 1 3 [pause] 1 [pause] [ok] (pause means the * key held in until box appears) You now have to press the [MENU] and scroll to the 'Eng Field Options' function with the < or > keys, and enable it. To de-activate RBS (Engineering Menus): [pause] [pause] [pause] 1 1 3 [pause] 0 [pause] [ok] (pause means the * key held in until box appears) Works on 6200's,8200's,1-888's,7500's,8400's and GSM StarTacs with later than version .27 software. Options under Eng Field Options Eng Field Options Active Cell RxLev -55 Received powerlevel in dBm NCC 0 National Colour Code, used for identifying channel BCC 7 Broadcast Colour Code, also for identifying purposes MSTxPwr 35 Max allowed transmit power 35dBm about 3.2W C1 003 Is a calculated figure for the quality control signal which is constantly sent out from the RBS quality the signal returning from the phone has. If this value is negative for more than 5 sec then the system will make a cell switch.Time Adv xxx xxx is a number. Multiply this number by 550, and the result is the distance from the RBS (Radio Base Station), in meters. Adjacent Cells Adj Cell 1 Channel 0033 Channel Number RxLev -65 Received powerlevel in dBm BCCH Decode I think it means it is able to decode the channel information contained in the BCCH RxLevAM -104 Min allowed reception, compare with RxLev -65 and you get the C1 value which is 39 and reported back to base as measure of field strength. MTxPwr 35 Aain max allowed powerlevel C1 003 ?? NCC 0 National Colour Code BCC 6 Broadcast Colour Code System Parameters Combined Off ?? AcsClas 0000 Allows different priorities - this network doesn't support it. MCC 505 Mobile Country Code, 505 for Australia, 240 for Swedes etc MNC 01 Mobile Network Code, 01 for Mobilenet, 02 for Optus, 03 for Vodafone using MCC 505. MCC+MNC is often called Network Code LAC 08720 Location Area Code, shows which exchange your're in CellID 00473 Base Station Identity T3212 005 Time between periodic network updates (either hours between or time remaing until update, not sure) BS-PA-MFRM 4 ?? XZQTY 14.3 ?? Motorola Flip Pinout: ANT- (O) | | | | | | | | | | 10 9 8 7 6 5 4 3 2 1 Top of phone (screen) 1) Audio Ground 2) Ext b+ 3) T Data 4) C Data 5) R Data 6) Logic Ground 7) Audio Out - on/off 8) Audio In 9) Manual Test 10) Battery Feedback FREE CALL TIP! FIND YOURSELF ONE O THSES BABIES AND YOU'RE SET FOR LIFE! The trick can be done on cd160 and cd520 only: 1 Enter the phone number 2 Enter OK 3 Type *#06# 4 Press Button C 4 And finally press the button for power off. You should now be able to talk without being billed. Bag fone... Any bag fone... just get one cause they are cheap and easy to program and get pretty good reception! Motorola CD 160 Tip. Press menu and type one of these numbers and press OK: 11 = Status Review 13 = Available Networks 14 = Preferred Networks 22 = Select Keypad Tones 25 = Require SIM Card PIN 26 = Language Selection 32 = Repetitive Timer 33 = Single Alert Timer 34 = Set IN-Call Display 35 = Show Call Timers 36 = Show Call Charges 37 = Call Charge Settings 38 = Reset All Timers 43 = Reset All Timers 45 = Show Last Call 46 = Total For All Calls 47 = Lifetime Timer 51 = Change Unlock Code 52 = Master Reset 53 = Master Clear (Warning!! May result in deleting the Message Editor!!!) 54 = New Security Code 55 = Automatic Lock 63 = Battery Saving Mode That should be it. If you have any questions, find them out yourself. ___________________________________________ | \ | Social Engineering Independent Telcos \ | By: Xenocide | | Contact: xen423@yahoo.com | | / |------------------------------------------/ Intro: Have you ever wanted to get those super duper k-rad telco test numbers? Thought the only way was scanning? Well my friend to day is you're lucky day! Cause you've won five thousand dollars! No, not really but I am going to teach you how to social engineer test numbers from Independent telcos. There are a few requirements to this article: 1) Half a brain 2) Local phone book 3) Pencil & paper 4) Working phone (preferably pay phone) 5) Patience Now that you have those basic necessities, let's begin. First look up Telephone in the yellow pages of your phone book. Look for something that says Telephone/PBX Installation or any thing closely related. Write these numbers down along with their name, these are the major telco's competition. Now that you have a list of numbers to call, let's make a script. You may want to make a copy of it to take with you but as in any social engineering situation, the conversation can change drastically in seconds. Always be prepared and know everything about who and what you are social engineering. If the conversation gets sticky and you don't know what to do, try to get out of it as quick and smooth as you can. If they catch on to what you're doing then you might not have another chance at calling back. YOU - You THM - The Independent Telco YOU : Dials number to telco... THM : Hello, this is LameTelco how may I help you YOU : Yes this is (any first name), I'm out here in (local city/town) working on a trouble ticket and I've got all these pairs here and no way to match them to their owners. The reason for that is the hand-set I was using broke and it had my/all my (ANAC/Ringback/ Loop/DATU/RCMAC...) number(s) programmed in its memory and I don't carry my number book with me any more so I'm in a bit of a jam. I'd really appreciate it if you could get me this/these number(s) so I can get back to work. THM : Ok Sir, please hold... THM : Ok sir, here is the number(s) you requested. YOU : (Write the number(s) down!!!) Ok thanks a lot. THM : Hey no problem. Owned! Hopefully it will go as smooth as that. Sometimes they will want more info out of you, like, What office are you working out of? What is the trouble ticket number? What the hell is a test number? Just be prepared to answer qucikly so it looks like you're who you say you are. If they ask What is the ticket number? then smoothly reply I left it in my truck or something to that effect. If things get harsh or you are having trouble then politely say I will get in touch with my repair foreman. Just make sure they don't know you tired to social engineer themotherwise if and when you call back they will prolly be a lot more stricton the info they give you. Now go to the phone or payphone. Make sure if you call from your home phone that you have some way to hide your number. And always have fun, thats what phreaking is about, having fun, exploring, learning and sharing. Note from the editor: "Damn, man! This article had more spelling errors than Microsoft's Windows 2000 'Getting Started' guide!" _____________________________________________________________ | \ | OBTAINING SOCIAL SECURITY NUMBERS AND HENCE CREDIT CARDS \ | By: Loc | | loc@fuckmicrosoft.com | | / |------------------------------------------------------------/ co-thought-up with b4l0r Go to my personal bitch, a Target department store. Now, find the employee application machine. There are going to be two of them in any given store, they will be side by side in little sit down booths. They can also be used to set up teleconferences, if you read my article in UPL 26. Now, there is a slot to the right of the application machine. These are used for the applicants to write sosec info, birthday info and address on, sign and drop into the slot. However, this is just begging to be exploited. Simply gank the papers outa the slot (they're very easy to get) and walk out. The directios on the paper tell you not to write the year of your birthday, but most people applying to a job at target are idiots and do so anyway. These are the best applications to work with as you will not need to call them and SE any information. If they didn't write the year of their birthday, use their names and addresses to get their fone number. Call them and say its Subway Birthday club and they get a free footlong meal on their birthday. Tell them that you cross check all month date and year values to ensure that no fraud occurs. There, you've got the info. Now obtain a PO box. This is somewhat hard but you can fabricate identification and get a mailboxes etc box. There are tons of credit card applications everywhere, you generally just don't notice them. Pick up every credit card application that you see and fill it out as one of your victims. An Apple loan would also be very nice, a dual 800 g4 with 22 inch monitor for the price of a PO box for a month, approximately 10 bucks. (Note from the editor: Loc's views on use of Apple and Mac products do not reflect those of the Editor or those of the members of 13370 phr34k0 h34d'5 or their affiliates.) Start carding your ass off. The beauty of this method is that the victim will not be alerted for a few months, and neither will the CC company, they'll just think your not good with money and black list 'your' credit. You can use the same PO box for a long time, but I wouldn't reccomend using more than a month, for safety's sake. _________________________________________ | \ | Cordless Phone fun \ | By: Jackass | | Contact: jackass_440@pla440.zzn.com | | / |----------------------------------------/ Ok now to get to the cool stuff. To listen in on cordless phones you will need a police scanner I recommend a programmable one these can be bought at Radio Shack for an ungodly amount or try Ebay. I've seen them decently cheap on there. Now that you have your scanner, program these frequencies in and listen all you want. I recommend you program the base frequency in because you'll hear both sides of the conversation but if you want program in that handset I could really careless. Channel Base Handset 1 43.720 48.760 2 43.740 48.840 3 43.820 48.860 4 43.840 48.920 5 43.920 49.020 6 43.960 49.080 7 44.120 49.100 8 44.160 49.160 9 44.180 49.200 10 44.200 49.240 11 44.320 49.280 12 44.360 49.360 13 44.400 49.400 14 44.460 49.460 15 44.480 49.500 16 46.610 49.670 17 46.630 49.845 18 46.670 49.860 19 46.710 49.770 20 46.730 49.875 21 46.770 49.830 22 46.830 49.890 23 46.870 49.930 24 46.930 49.990 25 46.970 49.970 Now its time for the real fun shit. I'm going to tell you how to broadcast and or block cordless phone transmission. What you need 1. A VHF CB that you can mod for out of band transmission. 2. A transverter (I used a Ten Tec model 1209) Ok now that you have all that stuff its time to have fun. So you have modded your CB and have the transverter all you have to do now is add 94 MHz to the frequencies and your ready to have fun and if you can't figure out what to do with it then you shouldn't have read this part and you wasted money go give your new toy to some punk kids to play with Im sure they'll enjoy it. I figured Id save you the trouble and listed the frequencies below. Base -=======- 137.7200 137.7400 137.8200 137.8400 137.9200 137.9600 138.1200 138.1600 138.1800 138.2000 138.3200 138.3600 138.4000 138.4600 138.4800 140.6100 140.6300 140.6700 140.7100 140.7300 140.7700 140.8300 140.8700 140.9300 140.9700 Handset -========- 142.7600 142.8400 142.8600 142.9200 143.0000 143.0800 143.1000 143.1600 143.2000 143.2400 143.2800 143.3600 143.4000 143.4600 143.5000 143.6700 143.7700 143.8600 143.7700 143.8750 143.8300 143.8600 143.9300 143.9900 143.9700 Ok now for something else useless but cool. Get a cordless handet (preferably the kind that the channel changes on the base) and walk around with it not only can you listen in but you can make free calls. Just be carefull. Well, I'm just about finished. But I have one last thing. The cordless beige box. Just get a cordless phone (base and hand set and a way to power the base ::cough:: batteries) and hook it up like a beige box and viola you got a cool little toy. WELL THATS IT HAVE FUN AND BE A GOOD LIL PHREAK!