TUCoPS :: Phreaking Caller ID :: cidclose.txt

Caller ID: Up Close and Personal

Better a bottle in front of me than a frontal lobotomy.


CallerID: Upclose and Personal
by hatredonalog (hatredonalog@hotmail.com)

1 - Intro
1.1 What is CID?
1.2 Privacy Issues
1.3 Stuff Stolen from the alt.2600 faq

2 - How a message is sent (basically)
2.1 Basics
2.2 Figuring out the data & checksums
2.3 Differences between SDMF and MDMF
2.5 With CIDCW

3 - 0day Exploits
3.1 Defeating CID
3.2 Alternate CID info


4 - Apendix
4.a Glossary
4.b Resources



Introduction to CallerID

 1.1 - What is CID?

CallerID is a low level knock off of ANI.  It is a service from your LATA that 
allows youto see who is calling you.  It gives you the Month, Day, Time and the 
number of the personcalling you (and optionally also the name).  In this article
i hope to explain just how it works and maybe you'll learn something.  On with it,
no?


 1.2 - Privacy Issues

When dealing with CallerID, some Privacy issues arise.  What if you don't want the
person your calling to get your inf0z?  Well, when it first came out some privacy
activist groups had a hernea over it.  Great, eh?  Anyways, now RBOC's are SUPPOSED
to let you block CND info for free, but from what i've heard, they don't always let
you.  This is where *67 originates from, and it simply tells the CO to not send your
info to the box.


 1.3 - Stuff stolen from the alt.2600 faq


Modem Requirements 

Although the data signalling interface parameters match those of a Bell 202 modem, 
the receiving CPE need not be a Bell 202 modem. A V.23 1200 bps modem receiver may
be used to demodulate the Bell 202 signal. The ring indicate bit (RI) may be used 
on a modem to indicate when to monitor the phone line for CND information. After 
the RI bit sets, indicating the first ring burst, the host waits for the RI bit to 
reset. The host then configures the modem to monitor the phone line for CND information. 



Applications 

Once CND information is received the user may process the information in a number 
of ways. The date, time, and calling party's directory number can be displayed. 
Using a look-up table, the calling party's directory number can be correlated with 
his/her name and the number displayed. 

CND information can also be used in additional ways such as for: 
 o Bulletin board applications 
 o Black-listing applications 
 o Keeping logs of system user calls
 o Implementing a telemarketing data base 



 Technical information

 2.1 - How CID information is sent (basiclly)


The method of transport was invented by Carolyn Doughty and was first used
by New Jersey Bell.  Unlike What some people seem to think, The CID Info is
sent from the CO handing the call to the CPE (Customer Premise Equipment)
otherwise known as the box.  Under SS7 the CPNM (Caller Party number message)
CANNOT be blocked from the receiving CO, but can be blocked from the called
party, when making a long distance call.  

The CallerID info is sent between the first and second ring (pretty much common 
knowledge) and is sent via Frequency Shift Keyed (FSK).  The Data is sent at
1200bps and the CPE has a Bell 202 modem in it to receive the FSK. There are two 
formats in which the CND (Caller Number Delivery) is sent.  These are SDMF (Single 
Data Message Format) and MDMF (Multipul Data Message Format), both of which i will 
go into later.  The main difference between the two is simply, that the name of the
calling party is also sent with MDMF.  

The modulation is a continuous phased-binary FSK.  The Logical 1 is 1200hz give or
take 12hz and the logic 0 is 2200hz for logical 0 give or take 22hz.  These are the
two binary states 1 and 0.  They are sent asynchronously at -13dBm and are tested at
the CO across at 900 ohm test termination.  The data is sent after a minimum of 500ms
(miliseconds) when the Channel seizure is sent.  The channel seizure is 250ms in
length and is 300bits of alternating 1's and 0's beginning with a 0 and ending with a
1.  Immediately after the Channel Seizure is sent the Mark Signal is transmitted.  It 
consists of 180 bits, and is 150ms in length.  They prepare the CPE to receive the CND
data.  Then the Least Significant Bit (LSB) of the most significant character is sent. 
This is under both SDMF and MDMF.  Each charactor sent is 8 bits (1 octet) and for all
displayable data they represent ASCII codes, and each string of 8 bits is preceded by
a Start bit and proceded with a stop bit.  This equals 10 bits per charactor.  Finally,
all the information sent, is followed by a checksum.  This is to make sure that the
data was sent and received properly.     

Here is a Basic CND signal:

 1st ring : (500ms) Channel Seizure : Mark Signal : CID Info : Checksum (200ms) : 2nd ring


 2.2 - Figuring out the Data & checksums


┌────────┐
│Figure 1│
├────────┴───────────┬─────────┬────────┬──────────────┐
│Character           │ Decimal │ ASCII  │  Actual      │
│Description         │ Value   │ Value  │  Bits   (LSB)│
├────────────────────┴─────────┴────────┴──────────────┤
│Message Type (SDMF)       4            0 0 0 0 0 1 0 0│
│Message Length (18)      18            0 0 0 1 0 0 1 0│ 
│Month (December)         49       1    0 0 1 1 0 0 0 1│
│                         50       2    0 0 1 1 0 0 1 0│
│Day (25)                 50       2    0 0 1 1 0 0 1 0│
│                         53       5    0 0 1 1 0 1 0 1│
│Hour (3pm)               49       1    0 0 1 1 0 0 0 1│
│                         53       5    0 0 1 1 0 1 0 1│
│Minutes (30)             51       3    0 0 1 1 0 0 1 1│
│                         48       0    0 0 1 1 0 0 0 0│
│Number (6061234567)      54       6    0 0 1 1 0 1 1 0│
│                         48       0    0 0 1 1 0 0 0 0│
│                         54       6    0 0 1 1 0 1 1 0│
│                         49       1    0 0 1 1 0 0 0 1│
│                         50       2    0 0 1 1 0 0 1 0│
│                         51       3    0 0 1 1 0 0 1 1│
│                         52       4    0 0 1 1 0 1 0 0│
│                         53       5    0 0 1 1 0 1 0 1│
│                         54       6    0 0 1 1 0 1 1 0│
│                         55       7    0 0 1 1 0 1 1 1│
│Checksum                 79            0 1 0 0 1 1 1 1│
└──────────────────────────────────────────────────────┘

It is all simple conversion from binary to ASCII (and decimal). Here, we will
tear it down octet by octet.

The Message Type is Straight forward.  It specifies one of two types, SDMF or
MDMF.  If it is SDMF the binary sent is 00000100 (4 bits), and if the type is 
MDMF, the binary sent is 10000000 (128 bits).

The Message Length is also quite easy to figure out.  The binary converted to
decimal is the message length.  00010010 is 18, and 18 is the message length.
Done, easy.

The time is sent in military fashion.  To get the normal time, put the two 
time bits together and less 12. (ei: 1+5 == 15 - 12 == 3pm).  Figuring out the 
checksome is slightly more difficult, but not that much.  Then you just add on 
the next two values to create the minutes.

The numbers are figured out exactly like the Message length, so dont worry
about that.

The checksome word is the last data to be sent,and is a twos complement of 
the 256 modolo sum of each bit in the other words of the message.  When the 
message is received by the CPE it checks for errors by taking the received 
checksum word and adding the modulo 256 sum of all of the other words received 
in the message.  

Figuring out the checksum is not difficult.  The first step is to add up the 
values of all of the fields (not including the checksum). In this example the 
total would be 945. This total is then divided by 256. The quotient is 
discarded and the remainder (177) is the modulo 256 sum. The binary equivalent 
of 177 is 10110001. To get the twos compliment start with the ones compliment 
(01001110), which is obtained by inverting each bit, and add 1. The twos 
compliment of a binary 10110001 is 01001111 (decimal 79). This is the checksum 
that is sent at the end of the CID information. When the CPE receives the CID 
message it also does a modulo 256 sum of the fields, however it does not do a 
twos complement. If the twos complement of the modulo 256 sum (01001111) is 
added to just the modulo 256 sum (10110001) the result will be zero.





 2.3 - Differences between SDMF and MDMF

┌────────┐
│Figure 2│
├────────┴──────┬──────────────┬────────┬───────────────┐
│Character      │      Decimal │  ASCII │  Actual       │
│Description    │      Value   │  Value │  Bits   (LSB) │
├───────────────┴──────────────┴────────┴───────────────┤
│Message Type (SDMF)       4             0 0 0 0 0 1 0 0│
│Message Length (9)        9             0 0 0 0 1 0 0 1│
│Month (December)         49       1     0 0 1 1 0 0 0 1│
│                         50       2     0 0 1 1 0 0 1 0│
│Day (25)                 50       2     0 0 1 1 0 0 1 0│
│                         53       5     0 0 1 1 0 1 0 1│
│Hour (3pm)               49       1     0 0 1 1 0 0 0 1│
│                         53       5     0 0 1 1 0 1 0 1│
│Minutes (30)             51       3     0 0 1 1 0 0 1 1│
│                         48       0     0 0 1 1 0 0 0 0│
│Private                  80       P     0 1 0 1 0 0 0 0│
│Checksum                 16             0 0 0 1 0 0 0 0│
└───────────────────────────────────────────────────────┘

That is how a "Private" Call would be displayed,  if the Caller didn't
use *67, it would look like figure 1.



┌────────┐
│Figure 3│
├────────┴─────────┬──────────────────┬────────┬───────────────┐
│Character         │          Decimal │ ASCII  │  Actual       │
│Description       │          Value   │ Value  │  Bits    (LSB)│
├──────────────────┴──────────────────┴────────┴───────────────┤
│Message Type (MDMF)            128             1 0 0 0 0 0 0 0│
│Message Length (33)             33             0 0 1 0 0 0 0 1│
│Parameter Type (Date/Time)       1             0 0 0 0 0 0 0 1│
│Parameter Length (8)             8             0 0 0 0 1 0 0 0│
│Month (November)                49       1     0 0 1 1 0 0 0 1│
│                                49       1     0 0 1 1 0 0 0 1│
│Day (28)                        50       2     0 0 1 1 0 0 1 0│
│                                56       8     0 0 1 1 1 0 0 0│
│Hour (3pm)                      49       1     0 0 1 1 0 0 0 1│
│                                53       5     0 0 1 1 0 1 0 1│
│Minutes (43)                    52       4     0 0 1 1 0 1 0 0│
│                                51       3     0 0 1 1 0 0 1 1│
│Parameter Type (Number)          2             0 0 0 0 0 0 1 0│
│Parameter Length (10)           10             0 0 0 0 1 0 1 0│
│Number (6062241359)             54       6     0 0 1 1 0 1 1 0│
│                                48       0     0 0 1 1 0 0 0 0│
│                                54       6     0 0 1 1 0 1 1 0│
│                                50       2     0 0 1 1 0 0 1 0│
│                                50       2     0 0 1 1 0 0 1 0│
│                                52       4     0 0 1 1 0 1 0 0│
│                                49       1     0 0 1 1 0 0 0 1│
│                                51       3     0 0 1 1 0 0 1 1│
│                                53       5     0 0 1 1 0 1 0 1│
│                                57       9     0 0 1 1 1 0 0 1│
│Parameter Type (Name)            7             0 0 0 0 0 1 1 1│
│Parameter Length (9)             9             0 0 0 0 1 0 0 1│
│Name (Joe Smith)                74       J     0 1 0 0 1 0 1 0│
│                               111       o     0 1 1 0 1 1 1 1│
│                               101       e     0 1 1 0 0 1 0 1│
│                                32             0 0 1 0 0 0 0 0│
│                                83       S     0 1 0 1 0 0 1 1│
│                               109       m     0 1 1 0 1 1 0 1│
│                               105       i     0 1 1 0 1 0 0 1│
│                               116       t     0 1 1 1 0 1 0 0│
│                               104       h     0 1 1 0 1 0 0 0│
│Checksum                        88             0 1 0 1 1 0 0 0│
└──────────────────────────────────────────────────────────────┘
The only Differences between SDMF and MDMF is that MDMF is slightly more
advanced and has more features.  It Displays the Calling party's name along
with the number.  It also has the Message type and length paramaters.  The 
Message type is defined as either 00000100 (SDMF) or 10000000 (MDMF).  With
SDMF the Minimum message length can be 9 octets, whereas with MDMF the
minimum length can be 13.  When the minimum is sent, neither the CND or 
the CNAM (Caller Name) is displayed.  In they're place, either an "O" (out
of area) or a "P" (Private) is sent (as in the case of Figure 2).


 2.4 - With CIDCW

CIDCW stands for CallerID on Call Waiting.  It's so you know who is calling, even
when your already on the phone.  It runs *only* under MDMF (which i think is 
standard).  It varies a bit from normal CID.  It doesn't send any kind of Channel
Seizure and the Mark signal is only 80 bits.  Instead of a Channel Seizure, it sends
a CAS (CPE Alert Signal) along with the SAS (Subscriber Alert Signal) and the box 
responds with a ACK signal, during which time it mutes the handset.  Then it receives 
the FSK data, at which point it unmutes your phone after the data is received.  Here 
is the sequence:

 SAS/CAS : CPE returns ACK : CO sends FSK : info displayed
handset muted --^      handset unmuted --^
 

Tone freqencies:

SAS == 440mhz (300ms in length
CAS == 2030+2750 (DTMF)
ACK == "A" or "D";  A == 941+1633hz   
                    D == 697+1633Hz

Surprisingly enough (to me at least), the ACK response is either the "A" or "D" 
tones from a Silver Box. So ha, they are still used for something other than
PBX's or ham radio.


 
  0day Exploits


 3.1 Defeating CID

Okay, I did steal this from the Fixer's Beating CallerID File.  But, I really
couldn't say it any better, so i included it.  But mad cred's to the fixer for
being so elite. =)




(1) Use *67.   It will cause the called party's Caller ID unit to
    display "Private" or "Blocked" or "Unavailable" depending on the
    manufacturer. It is probably already available on your line, and if
    it isn't, your local phone company will (most likely - please ask
    them) set it up for free.  This is the simplest method, it's 100
    percent legal, and it works.
(2) Use a pay phone.  Not very convenient, costs 25 or 35 cents
    depending, but it cannot be traced back to your house in any way,
    not even by *57.  Not even if the person who you call has Mulder and
    Scully hanging over your shoulder trying to get an FBI trace (sic).
    Janet Reno himself couldn't subpoena your identity.  It's not your
    phone, not your problem, AND it will get past "block the blocker"
    services.  So it's not a totally useless suggestion, even if you
    have already thought of it.
(3) Go through an operator.  This is a more expensive way of doing it
    ($1.25-$2.00 per call), you can still be traced, and the person
    you're calling WILL be suspicious when the operator first asks for
    them, if you have already tried other Caller ID suppression methods
    on them.(4) Use a prepaid calling card.  This costs whatever the per-minute
    charge on the card is, as they don't recognize local calls.  A lot
    of private investigators use these.  A *57 trace will fail but you
    could still be tracked down with an intensive investigation (read:
    subpoena the card company).  The Caller ID will show the outdial
    number of the Card issuer.
(5) Go through a PBX or WATS extender.  Getting a dial tone on a PBX is
    fairly easy to social engineer, but beyond the scope of this file.
    This is a well-known and well-loved way of charging phone calls to
    someone else but it can also be used to hide your identity from a
    Caller ID box, since the PBX's number is what appears.  You can even
    appear to be in a different city if the PBX you are using is!  This
    isn't very legal at all.  But, if you have the talent, use it!
(6) I don't have proof of this, but I *think* that a teleconference
    (Alliance teleconferencing, etc.) that lets you call out to the
    participants will not send your number in Caller ID.  In other
    words, I am pretty sure the dial tone is not your own.
(7) Speaking of dial tones which aren't yours, if you are lucky enough
    to live in an area with the GTD5 diverter bug, you can use that to
    get someone else's dial tone and from thence their identity.
(8) Still on the subject of dial tones which aren't your own, you can 
    get the same protection as with a payphone, but at greater risk,
    if you use someone else's line - either by just asking to use the
    phone (if they'll co-operate after they hear what you're calling 
    about) or by the use of a Beige Box, a hardware diverter or bridge 
    such as a Gold Box, or some other technical marvel.
(9) This won't work with an intelligent human on the other end, it
    leaves you exposed if the called party has a regular Caller ID box
    with memory, and has many other technical problems which make it
    tricky at best and unworkable for all but experts.  A second Caller
    ID data stream, transmitted from your line after the audio circuit
    is complete, will overwrite the true data stream sent by the telco
    during the ringing.  If the line you are calling is a BBS, a VMB, or
    some other automated system using a serial port Caller ID and
    software, then you can place your call using *67 first, and then
    immediately after the other end picks up, send the fake stream.  The
    second stream is what the Caller ID software processes, and you are
    allowed in.  See the technical FAQs below for an idea of the
    problems behind this method; many can be solved.
(10) Someone in alt.2600 (using a stolen AOL account, so I can't credit
    him or her properly) suggested going through 10321 (now 10-10-321)
    or 10288.  Apparently using a 10xxx even for a local call causes
    "Out of Area" to show up on the Caller ID display.  I live in Canada
    where we don't have 10xxx dialing so I can't verify nor disprove    this.
(11) There are 1-900 lines you can call that are designed to circumvent
    Caller ID, ANI, traces, everything.  These services are *very*
    expensive, some as high as $5.00 a minute, but they include long
    distance charges.  This was first published in 1990 in 2600
    magazine, and in 1993 the IIRG reported that 1-900-STOPPER still
    works.  Beware - even if you get a busy signal or no answer, you
    will get charged at 1-900 rates!  Another one published in 2600 in
    1990: 1-900-RUN-WELL.  That one supposedly allows international
    calls.  I'm not about to call either one to find out.  Note that you
    could still be caught if the operators of these services were to be
    subpoenaed.
(12) Use an analog cellular phone.  Most providers of plain old analog
    service show up on Caller ID as "Private" or "Out of Area" or a main
    switchboard number for the cell network.  This is becoming less and
    less true as cellular providers move to digital cellular and PCS,
    which pass the phone's number on Caller ID.  Corollary: Rent a
    cellphone by the day.  This might even be cheaper than using a
    prepaid phone card.



 3.2 - Alternate CallerID Information


If your under a DMS-100 switch, you can change your Caller ID information
to anything that you would like it to be.  Not your ANI, just your CND (and
your CNAM).  You can do it 1 of 3 ways.  Hack the switch, Social Engineer, or
have a friend on the inside do it.  This also is stolen, from usenet.  It also
is really well written.  

SDNA (Setting Up DN Attributes) plenty of examples in HELMSMAN (DMS on-line help)

The following is accomplished in SERVORD:

SDNA [return]
[prompt] SNPA:
[prompt] OFFICE CODE:
[prompt] FROM DIGITS:
[prompt] TO DIGITS:
[prompt] NET NAME:
[prompt] FUNCTION:
[prompt] OPTION:
[prompt] NPA:
[prompt] OFFICE CODE:
[prompt] DIGITS:
YES to confirm
.. updating (does so immediately)

SNPA is the area code of the line this is being done on.
OFFICE CODE is the exchange/prefix of the line this is being done on.
FROM DIGITS is the last four digits of the line this is being done on.
TO DIGITS is also the last four digits of the line this is being done on. (It
can be done to a series of lines.)
NET NAME is PUBLIC
FUNCTION - there are three legit functions ADD add. CHA change. DEL delete
(self-explanatory)
OPTION is ADDRESS (phone number)
NPA is area code you want your new Caller ID to be
OFFICE CODE is the new exchange/prefix you want to have
DIGITS are the last four digits of the new Caller ID to be!
YES to confirm
...updating

Now you can call anyone who has Caller ID and they will think you are calling
from the number you changed it to.

Please note the following effects and ramifications:

ANI still passes normally. It is only the Caller ID signal which changes.
So anyone doing serious investigating at the phone company can still pull Last
Incoming Call, etc., correctly.
Billing is not affected. That is, you cannot bill to the virtual (artificial
number).
Call Return will call back the Caller ID, so if it's in the same area, it will
call back the number. If the Caller ID you chose is from a different area,
Call Return won't work. This is one of my favorites. Since having a non-pub
number doesn't stop people from Call Returning you. Now it does!!

800 numbers: AT&T 800's will always get your ANI. MCI tends to usually grab
your ANI. Operator 800's will definitely get your ANI. (800-225-5288).
Sprint 800's can be configured either way. For example, AOL (America On Line)
800's get ANI. (yes, they resporg to Sprint). However, Western Union, and
other Sprint 800's read the Caller ID. Most newer 800's read the Caller ID,
but one must test to know for sure.

The above method of altering Caller ID on a line is the only legitimate way I
have ever found to do so that really works. Can the same thing be done on
5ESS? Not that I am aware of, and I have researched it pretty thoroughly. I
have not researched Siemens switches, or others. Tchau for now. Have phun.



 4.a - Glossary


Glossary 

ACK -- Acknowledgment
ANI -- Automatic Number Identification
ASCII -- American Standard Code for Information Interchange
BFSK -- Binary Frequency Shift Keying
CAS -- CPE Alerting Signal
CID -- Caller Identification or Caller ID
CIDCW -- Calling Identity Delivery on Call Waiting or Caller ID on Call Waiting
CNAM -- Calling Name Delivery
CND -- Calling Number Delivery
CPE -- Customer Premise Equipment
CPNM -- Calling Party Number Message
DTMF -- Dual-Tone Multifrequency
FCC -- Federal Communications Commission
FSK -- Frequency Shift Keying
ID -- Identification
LATA -- Local Access and Transport Area
LSB -- Least Significant Bit
LSSGR -- LATA Switching Systems Generic Requirements
MDMF -- Multiple Data Message Format
OSI -- Open Switch Interval
PC -- Personal Computer
SAS -- Subscriber Alerting Signal
SDMF -- Single Data Message Format
SPCS -- Stored Program Control Switching System
SS7 -- Signaling System 7 



 4.b - Resources on the internet

http://www.markwelch.com/callerid.htm
http://members.xoom.com/hoal/cpid-ani.txt
http://bc1.com/users/fixer/files/BEATCID.TXT



-hatredonalog


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH