The Story of the Millennium Part II (TTY) By: The Clone Written: Tuesday February 12, 2002 Introduction: This file was written as a follow-up to my critically acclaimed file "The Story of the Millennium". Although this file doesn't have quite the same exciting story line, it's still interesting enough to write about because it gives some more insight into how TOPS/TTY operator consoles work with each other as well as their obvious limitations. Although this file may be looked at as common knowledge to the advanced phreak, it may help those who are new to the phreaking world. Now sit back, relax, and read. - Definitions: CA = Communications Assistant GA = Go Ahead SK or SKSK = Stop keying, type this before you disconnect TDD = Telecommunications Device for the Deaf (no longer used) TRS = Telus Relay Service TTY = Teletypewriter q = q is used to denote a question mark. - Exposé; A couple of days ago while waiting inside my city's wonderful public transportation service shelter at Northgate Mall in Edmonton, I decided to give my brother a call to see if "Robot Wars" was playing on television. Instead of going through the trouble of finding change to place into the Millennium payphone, I resorted to using the tty machine that was attached. (names and numbers have been modified to protect the innocent/guilty) * The Clone picks up the payphone's receiver and dials 711 * (TTY OP) [ "Telus Relay Operator services, Janice here. GA" ] (The Clone) [ "Hi Janice. The Clone here. Calling MSM, 555-1212 GA" ] (TTY OP) [ "Thank you, one moment. Ring 1, Ring 2, Ring 3... MSM on line. GA" ] (The Clone) [ "Hey, MSM. Clone here... what time is Robot Wars on? GA" ] (TTY OP) [ "MSM: It's on right now. Come home now." ] (The Clone) [ "Alright see you. SKSK" ] - CALL ENDS - I proceed to hang up the receiver, and watch in amazement as the TTY keyboard closes into its box. Wow, technology is neato. Bored, and still waiting for my bus to arrive, I decide to use this free calling service to my advantage and call my girlfriend. I pick up the receiver again, dial 711 and wait for that nice tty-churp. To my dismay, I get a voice-recording "Please hang up and dial again" as well as a text message on the Millennium's LCD-display saying the exact same thing. Pissed off and confused (happens a lot), I proceed to hang up the phone and dial 711 again. After about a minute of doing this over and over, I grow tired and decide to dial "0" for the operator. Immediately after dialing "0", I get an operator... (Operator) [ "Thank you for calling Telus, David speaking." ] (The Clone) [ "Yes, I'm at a Millennium payphone right now with my friend who is deaf. He's trying to use the TTY enabled payphone but when we dial 711, the keyboard doesn't come out and allow us to talk to a TRS op." (Operator) [ "Umm.. okay. Umm... (uncomfortable silence)" ] (The Clone) [ "Are you going to help us or not?" ] (Operator) [ "Yes, just a second. I'm going to transfer you to 711. Do you want voice or data TTY? Ahh I'll give you data.." ] (The Clone) [ "Data? You're stupid, but okay give it a shot..." ] (Operator) [ "I love it when you call me that. One moment." ] (The Clone) [ "Alright, thank you." ] Now the 0+ TOPS operator tries to transfer the voice call through a data trunk and I get all sorts of weird messages. First off, I hear 2 seconds of static, followed by a 2200hz tone, then the message "The number you have dialed is long distance...", then it cuts out and I get the message "Please hang up and dial again.", then the call is suddenly seized and it hangs up on me. Obviously TOPS operator consoles don't have the ability to route voice to TTY data trunks, or else I would of been communicating with a friendly TRS. Even more angry and communication deprived, I call "0" again and get connected with an operator named "Sally". I proceed to ask Sally if she's the same Sally from the movie "When Harry met Sally", and if so could she please do the fake orgasm "thing" (just kidding). So I tell Sally the sad story about how my friend couldn't get through to the TRS operator when calling 711 at a TTY-enabled payphone, and how when I spoke to David the 0 operator, I got misrouted. Sally replied "Well sir, I'm sorry that David didn't realize the limitations of our routing. Also, he should of known you can't route voice to TTY-data! Just a second, I'll route you to a voice operator who can enable the TTY machine from her console..." [ Call forwards ] The pulse-stream MF (Modular Frequency) looked something like this: (minus the finer points of ANI spills that are beyond the obvious scope of this article) KP + || + 3/10D + ST + KP + 711 + 02 + ST || = 2 information digits - typical values are: 00 Normal ANI ... 10 digits follows 01 ONI line ... NPA follows 02 ANI failure ... NPA follows 3/10D = 3 or 10 digits. When 3 digits is sent, that's the NPA, when 10 digits is sent, it's the entire NPA+PREFIX+SUFFIX. KP/ST = control tones - Operator answers the call: "Thank you for calling Telus Relay Operator services, Jennifer speaking." The Clone: "Hi there. My friend, who is deaf, is trying to use the TTY machine attached to this payphone. Can you please enable the TTY machine, and verify my ANI information. Thanks." TTY-Operator: "Just a moment. Sir, we have an ANI failure. What number are you calling from?" (at this point I give her the modem pool # for Edmonton Freenet...) The Clone: "Oh, it's 428-3929." TTY-Operator: "Thank you. I'll enable the TTY now..." I hear the high pitched TTY-churp on the receiver, and the keyboard comes out, allowing me to place the call. The call goes through, and I'm happy as a candy-rayvER on ecstasy (minus the gayness). ! Buddah-Bing-Buddah-Boom: Simple Social Engineering will allow you to op-divert and spoof your actual ANI information. =) - Final Words; It's always neat to learn about limitations the TOPS console to TTY console have, as well as the numerous fun one can have by spoofing their identity via simple op divertion... Have a nice day! - Contact infô; E-mail: theclone@hackcanada.com URL: www.nettwerked.net -