Millennium Hardware Modification for the purpose of Redboxing By: H1D30U5 03/29/04 Shouts to Hackcanada, Nettwerked, The Clone, Wizbone, Kankraka, Cyb0rg/Asm, Question, Tr00per, H410G3N, and of course Nortel (for giving us a laugh or 2) Thanks to Joe Clark for taking the time to send me some information. And thanks to Jackel for writing the first document regarding this idea. Equipment required to pull this 'sploit 1. Propane torch + Lighter 2. Wire cutters 3. Electrical Tape 4. Super Glue 5. Balls of Solid Rock. For Reference, the tones for NACTS are as follows Quarter 2200hz 33ms on 33ms off 5 times repeated Dime 2200hz 66ms on 66ms off 2 times repeated Nickel 2200hz 66ms on 66ms off once 3900hz can also be substituted because Telus' switching equipment will also accept this as a valid frequency. If it's easier to produce, go for it. Also see the redboxing file on Hackcanada.com written by Cyb0rg/Asm for more details on how to build your redbox. ***Millennium Info/History*** MILLEN MTR 2.0--Millennium Payphone (A0748017) The Millennium Payphone was once called the "Un-Phreakable Phone" simply because it has many fraud deterrants such as the false dial tone, the remote DTMF dialling, and the microphone muting. It was manufactured by Quortech and licenced for use and distribution to Nortel. The birth of the Millennium happened in 1993, according to Doug Matatall, director of Millennium marketing at Northern Telecom. Ordinary people on the street and marketing designers wanted to produce the "Perfect" pay-telephone. Consumers asked that the buttons on the dialing pad not be hidden under the handset as they are on the older Centurion model, so the Millennium's handset was placed next to the buttons. People with tremors, cerebral palsy, and other motor impairments had difficulty inserting coins and dialing numbers, so the Millennium's buttons are farther apart and the coin slot is surrounded by a tapered bezel to guide a coin in. It has an alpha-numeric display, and an internal computer that will set off alarms in case of vandalism / abuse, a full coin box, or when the coin slot is jammed (so don't say it's jammed to a live op, THEY KNOW.) Matatall states that there are just over 167 000 payphones in Canada, and over 60,000 of them are Millenniums. There are over 150,000 Millenniums in North America alone. They are also found in Singapore, Australia, and Thailand. This phone has been engineered, and re- engineered to weather anything. The LCD was even engineered with a special substance that has a freezing point of -60 Celcius so that the display will not freeze even in the harshest of Canadian winters. The Millennium doesn't merely display information, it also talks to you in a synthesized voice. Though this redundancy should make the phone accessible to people with vision or hearing impair- ments, what you hear doesn't always match what is displayed. Place a long-distance call via a credit card, for example, and the display will read "Card verification in progress" while the synthesized voice simply says "Please wait." These features draw electrical power, using a TA10750 Transformer and only draw up to 8.6 watts a month, at a cost which Matatall estimates at 30 cents. (The Centurion draws no separate electrical power.) Converting all 167,000 payphones in Canada to Millenia will incur a power bill of over $50,000 a month; presumably telephone utilities will try to recoup this overhead through higher rates. ***Millennium Stats*** Height : 533mm (21") Width : 194mm (7 13/16") Depth : 155mm (6 3/16") Weight : 19.05kg (42lbs) *EMPTY* It has an enhanced G type handset with armored cabling, and an Electret Microphone with a dynamic receiver. It's operating temperature range is from -40'C to +60'C, and it's Non operating but still physically undamaged temperature range is from 10'C in either direction from it's operating range. It uses supplemental power (110v DC) and can function without the use of it's LCD to call emergency numbers, and operator assisted calls in case of a power outage. It uses a Vaccuum Fluorescent Display (but for all intents and purposes we'll just call it LCD in this article.) And it's "LCD" is able to function using English, French, Spanish, and Japanese letters and symbols. The display can also be independantly configured to display any message that the owner wants. If it were used as a COCOT, then the owner could program an advertisment into the LCD. ***THE SPLOIT*** The only method of redboxing from a Millennium before Jackel's findings was to cut the power, which is not only in-efficient, but it also automatically signals the telco. Then they'll come and repair it, etc. There is another method... we earlier discussed the "microphone muting". There is a way around this feature, for they were not smart enough to have the local switching station initiate the muting, because there are many makes and types of switches, and the older ones would not have to resources to initiate this feature. Quortech, in their infinite wisdom, then decided to use electrical grounding on a computer controlled switch to mute the microphone. They did this by sending an electrical current from the phone's power supply to the mouthpiece. This current is equal to the voltage required to power the microphone, therefore completing the circuit without passing through the microphone. That means that when the phone is kicked over into NACTS, (when the coin are to be inserted) that the microphone is bypassed. Now that we know WHY it happens, we can make it fail. The only mildly dangerous part of this exploit, is that you have to take a little bit of time to do it. This means that concerned citizen/police officer could see you doing it. I recommend night-time for this, and that you try to pick a Millennium that is semi-secluded. Not the one that's beside the door of your local 7-11... The "Bloated Gas-Bag" could see you. To stop the phone from bypassing the microphone, we have to open the handset. There are a few methods of doing this, either by breaking it, or otherwise. I prefer to bring a propane torch along with me and heat the microphone cap on the handset. This will melt the glue, and at the same time, expand the cap making it easier to remove. Okay, so we got the cap off. Pull the microphone out and take a look at how the microphone is wired. Study it, and learn something. You'll see 3 wires there; Hot, Neutral, and a strange, out of place looking wire with a clear coating on it. That's the one we're looking for. It's the wire that completes the microphone bypass. All you have to do is cut that wire, and then the phone will send current down the line as per usual, but nothing will happen. The important part though, is to tape the loose ends of the wires with electrical tape. If you go to all of this trouble to modify a payphone, then it'd better damn well work. If you do not tape the wires, and the hot loose end touches something metal, it will either fry the wiring, (it is 110v DC, same voltage as your household plugs) or mute the mouthpiece as normal... therefore undoing all your hard work! What a kick in the pants eh? So tape those wire ends up, and then glue the cap back on the mouthpiece. Done, now you can try to redbox it. I find that op's will fail to notice redboxing from millenniums because it's the "unphreakable fone." When you call from a Millennium, the op knows that you're calling from a Millennium. It will display it on their console, so you have a better success rate. I have had about 95% success when using this technique. The best reason for modifying a Millennium instead of just using a Centurion, or Fortress, is that you can learn something while doing it, and the success rate will dramatically increase. Also, you won't have telco personnel coming around to fix the phone like you'd have if you use the power out exploit. There you have it, The "Unphreakable Phone" has been phreaked. On a side note, I'd suggest that you mark the payphone after you've modified it, to let other phreakers know that it has been rigged. A Nettwerked sticker would be perfect, and that's the way that I marked the one I took apart to research this article. Have Phun, and come back safe.