..the eye of the storm..
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$                                     $
$         -------------------         $
$         ! tandem scanning !         $
$         -------------------         $
$                                     $
$     reprinted from tap issue # 50   $
$        written by dr. john          $
$                                     $
$       typed and uploaded by:        $
$                                     $
$$$$$$$$$$$$-=>lex luthor<=-$$$$$$$$$$$


tandem scanning is the most risky of all because it has to be done with a blue
box. it is recommended that you use pay phones. tandems usually have some
rather interesting codes. so let's talk about them for a while - there are
routing codes, operator codes, exchange codes, area codes, translation codes,
and service codes (special). each will be discussed in detail.

operator codes - usually the last few digits sent - follows the
-------- -----   routing codes. here are the standard operator codes:

101 - test board for the specific toll office. their purpose is to do
trunk measurement and testing.

121 - inward operator - usually assists your local "0" operator in
connecting to party. the 121 operator will not dial anything
out of the toll area. as long as requests of assistance in
dialing is in the local dialing area or her serving area, the
operator will never question a call.

131 - directory assistance operator - this is similar to a 555-1212
type except it is what the operator dials.

141 - route and rate - this is what the operator dials to get:
1. rate information
2. routing information such as special overseas operator etc.
the routing usually is to an overseas op. - usually to get
them to connect you to a strange country not on the iotc
list of direct dial countries.
3. 800-141 is a special wats information service where the
op. gets alternate routing info on wats.

160-xx0 - overseas ops. to various countries.

11xxx - special marine verify operators where there are non standard
codes. this is good scanning material! - ie. from 11000 to
11999 can yield very interesting ops. such as "leave word and         call
back" also "confernce operators"

translation codes - used for inwats and overseas dialing - also in
----------- -----   verify. most all translation codes start with a "1".

inwats - some typical inwats codes are: 125, 135, 145, 163, 164, 165.
the third digit is the "band" of the wats.

08x - is also used where x is the band number. for example you can
reach any 800 number regardless of where you are disregarding
what band it is by dialing 085-424-9337 - you are band 5 to
800-424-9337, 084-424-9337 - you are band 4 to 800-424-9337.
you can also dail 145-9337 or 144-9337, etc. if you are in the
202 area code. the complete number is 202-145-9337.

overseas - 18x codes are overseas ops. access codes. to dial over
--------   seas, the standard op. code is: kp 011 + 0cc st where cc
is the country code. you then get routed to an appropriate
"sender" at one of the gateway cities and then you key in
the country code + city code + number. the senders are:

182 = white plains, ny 183 = n.y. city 184 = pittsburgh, pa 185 = orlando, fl
186 = oakland, ca 187 = denver, co 188 = ny (not montreal)

to find out what "sender" you get, key in kp + 000-0000 + st to any of the
above senders. for example, suppose you wanted to find out the sender that new
zealand is routed through. the cc for new zealand is 064 so you would key in kp
+ 011 + 064 + st, wait for your beep - click - tone, then key in kp+ 000-0000 +
st. you would then hear "this is the international switching center in denver,
colo. - this is a recording - 3031 " you now know that 187 was used.

service routing - these codes go to route and rate computers, credit
------- -------   card check computers, etc.

in l.a. bell installed a computer to check credit cards. this computer not only
checks the rao code with the actual credit card number (ccn)  but it actually
checks its actual validity. a considerable amount of scanning was done to
retrieve the code. it is kp-213-000-st or kp-000-st into any california tandem.
you get a brief tone followed by a kachunk, then you key in a 3 digit office
code which identifies the operator office that has asked for the check followed
with the actual credit card number without the area code. for example, to check
a credit card whose phone number is 264-2999 and the rao code is 293, you'd
make up an 3 digit office code (any will do) and dial 375-264-2999-293-j and
the computer would give one of the following four responces:

1. "negative, negative 264-2999-293 negative.
2. "ok ok (reorder)"
3. "re-key re-key" (you must key in the ccn again).
4. "re-dail re-dial" (you must redo the kp-000-st or
kp-213-000-st)

a complete scan was done on the 3 digit office codes. this was done in 1972
when the computer went into service. no one has done it since then. it might be
possible now to remotely program it - to make it say ok ok to your favorite
phone number. another special code is 317-009. this is affectionately known as
the "golden goose" computer. it is very handy and i'm going to explain what has
been found, again by scanning. kp-317-009-st gets you beep kerchunck. then
kp-999+xxxxxxxxxxx-st where xx are from 2 to 11 digits. if you key in less than
2 digits it will say "short short" and if you key in more than 11 digits it
will say "long long". however, if you stay within the range, it will repeat
back each digit you sent to it. the purpose is to check the operation of your
blue box! yes! i kid you not! it is an mf checker that works great! for
example, if you key in kp-317-009-st then kp-999-1234567890-st and it says"one,
two, three, five, six, eight, nine, zero", you know that four and seven aren't
getting through and guess what - yeah, you guessed it - the 700hz oscillator is
either off-frequency or lower in amplitude than the rest. the tolerance on the
317-009 is much tighter than the regular tandems so it is great to use to keep
your mf equipment up to par, however, getting through to 317-009 is possible
and getting it to respond might be hard if all your tones are off frequency so
try to time your "little blue toy organ" as close to frequency as possible
before you tie up the line checking with the 317-009. it would be criminal to
tie up this line checking your out-of-tune organ while other young boxers are
eagerly awaiting to check their handy work..

now let's suppose you are having trouble getting 202-456-1212 to work and you
want to find the routing code. first you key in kp-317-009-st or kp-009-st if
you're already in 317. then key in kp-202-456-st and it will say "route area
plus one two one" which means that 202-121 will get you the proper operator. to
get the proper operator for the number 707-777-9999 you key in kp-317-009-st
then kp-707-777-st and you should hear "route area plus zero zero one"-"check
nine" which means that 707-001 will get you the operator for the 777 exchange.
the "check nine" tells you that 707-777-9999 is a pay phone. (after the three
digit area code and the three digit exchange the first digit in the last four
digits is usually a "9" indicating a pay phone although some of the newer pay
phone exchanges are starting to use "8").

maybe now i should clarify the difference between scanning and hacking.
scanning is usually *sequentually* trying numbers while hacking is *randomly*
trying the *best bet* numbers. while scanning or hacking up tandems, the thing
to remember is never stay on longer than 3-5 minutes at a time!!! always use
*working* numbers when scanning and *stay away* from all 800 numbers or
555-1212 numbers as they are *very* unsafe! do your scanning after 11pm your
time and remember if the trunk or code supes it can only cost you a quarter at
the most. most of the time you will be getting tandem recordings and *droping
cards like crazy* which is why you should dial back in every 3 minutes or so.
normally, you don't ring numbers more than 3-5 minutes if there's no answer.
the"shmuck" in the 4a will probably try to track you down because of all your
card droppings and you shouldn't want to stay there sitting like a
"duck"beeping into the phone. you could be traced but that takes time, at least
2-3 minutes. it usually takes 30 seconds to determine which city you are coming
from but quite a lot longer to get your exchange. (this issue is a little old
and i believe they can trace quite a bit faster than 2-3 minutes. your best bet
is to get a scanner and find out the frequency that bell security uses and
listen in on the local police channel, if they find out where you are, you will
definitly hear some activity over the scanner.) this ties up at least 3 people
on your end and at 11pm or later, those "shmucks" got better things to do.
since you are not ripping them off by using 800 numbers or 555-1212 numbers,
they really couldn't bust you anyway, and if you fuck up and supe a phew  - so
what! your ama won't look funny so the security department won't catch on. if
someone does come on the line you will hear a high pitched tone around 2,000hz
and a few "clicking" noises. remember, the guy in the 4a has to send an
identifying tone to trace. this is a very *soft* 2,000 hz tone. if this happens
**stop**!!!! hang up and do it again a few hours later or scan another tandem
from another pay phone.

other uses include automatic rate information. for example, if you can scan
around and determine the codes for any day rate, evening rate, weekend rate,
and coin control, you can scan by keying kp-(rate codes)-(area
code)-000-0000-(area code)-000-0000-st. the first area code and number are
yours and the second area code and number are the number you're calling. the
computer will then say "rate-one, four, five - coast to coast current pay phone
rate." this means $1.45 for the first 3 minutes.

here are some progressions to try: 000-009, 022-029, 032-039, 092-099. skip 011
because it is for the overseas sender and skip 010 and 012-019 because these
are reserved for twx. (see tap issue #49 or the reprint phile on this bbs for
more info on twx phreaking.) follow each code with 121. if it goes to an
operator and she picks up, blow it off. don't worry about not blowing her off
fast enough. if you do your scanning from a pay phone, there's not a damn thing
that she can do about it. keep a log of all numbers and codes tried with
results:

pass 1 (121) pass 2 (111)  toll  verify
------------ ------------  ----  ------
022 opr      9143          yes    ----
027 opr      9148          no     ----
033 opr      9145          yes    ----
034 busy     2039          no     yes
056 busy     2167          yes    no
099 opr      9144          no     ----

step 1 - go through the 3 digit codes via the progression above using
"121" after each code: kp-000-121-st,kp-001-121-st, etc. if
an op. answers with the name of the city she is in, blow her
off and mark "opr" next to the code. if you get a busy
signal, mark "busy".

step 2 - go through *only* the *opr* ones and add 111 instead of
121 after the code. these will give different tandem
recordings. for example, 022 will give 9143.

step 3 - find out which of the codes are for toll switching. to do
this, add 182, 186, or 001-0cc and see if it switches
overseas. mark "yes" under toll column.

step 4 - now go through all "0" and "1" codes with the suffix of a
"busy" number. for example, let's suppose that 936-1212 is
"busy" for you. start keying in kp-000-936-1212-st,
kp-001-936-1212-st, etc. if you hear a click and then
silence, or a conversation, you have *auto-verify*! and
should mark a "yes" under the verify column.

some of the codes in the "182" col. will go through into the busy. there will
be ones marked "yes" under the "182" column. after going through "0" codes,
start on the "1" codes omitting 101, 121, 131, etc. then try the 18x codes and
wats translation codes. if youdon't know them, it's easy to find them, just
dial 800-xxx-yyyy. you get the xxx from your 800 prefix scan sheet. suppose
you're scanning 9141. you look for a 9141 on your scan sheet and presto!  you
have 800-431-yyyy. get a working number, preferably a computer or aru if you
found one and dial it. blow it off and try:

kp-125-xxxx-st where xxxx is the last 4 digits of the aru
kp-135-xxxx-st-tandem
kp-145-xxxx-st-tandem
kp-155-xxxx-st-tandem
kp-165-xxxx-st- ring - beep  found it!!

make sure you log down this 165 code, remembering that the "5" is the band #.

after scanning the var code, do some further testing. you are looking for a
click and if you find it, you've found a verification code. now you can tap
lines in that area. record the exchanges it works on. will it work for the
whole area code or just a specific city? get to know its limitations. is it
scrambled? does it drop off in 10 seconds? next you should scan the 5 and 6
digit codes. this takes the longest. try these codes; 11000,11999, 160-xxx, and

150-xxx where xxx is 000 thru 999. who knows? you might find all kindsa neat
things!!!!

if you find something strange, play with it! sweep it with a signal generator.
ask yourself, does it take mf, touch tone, 2600? shake it apart! take every
little piece and shake that! after you "tore it apart", then go looking for
more. use your imagination, intuition, and common sense.

a further note on tandem scanning - you might want to try to make contact with
a "friend" at the 4a office. the phone numbers to the 4a offices are
ac+958+xxxx if there are more than one 4a offices in the area code in question.
san diego is 714-958-042 while if all you dial is 714-958, you'll get san
bernadino. by the way, some central offices- #5xb, 1xb, and step - will allow
you to dial "1" and "0" as a 4th digit. for example: 914-027-1211 will get you
peakskill, ny. 914-182-1111 will get you an overseas sender. 914-121-1111 will
get you a n.y. inward opr.