TUCoPS :: Phreaking Public Phones :: ntmp1.txt

Millenium Payphone Power Out Exploit 2.0

Millennium Payphone - Power Out Exploit V2.0 - By PsychoSpy

What's new in V2.0....

Added a section on how to turn the power out without 
cutting lines. This was one of the most common questions
people have had after I originally wrote this file.


Recently while carousing the halls at my local educational 
facility, I noticed that the LCD Displays on the phone had
gone completely blank. I couldn't believe my eyes! The
power on the phones had gone out! Can we say damn lucky?!?
I then walked up to the phone and picked it up, as I put my
ear to the slightly chilly earpeice, I heard the distinct
noise of the dial tone. You may say "Well hey! What else
do you expect to hear when you pick up the phone?!? You
forgot something you psycho! The Millennium dial tones are
all pre-recorded." Well, that's right, the dial tones ARE
pre-recorded, however, with the power out, the recorded
dial tone isn't played due to lack of power. In fact, you
can hear the physical switch inside the Millennium switch
over. This my friend is a REAL DIAL TONE!! WOOO!!

I then proceeded to try to dial a well known number 
(Clones pager). The damn payphone wouldn't let me though.
It turns out that when the power goes out, the payphone
initializes a failsafe mode which dissables the dialing
of ANY numbers on the key-pad until the 1 and 8 have been
pressed first. This is meant to make it so that you cannot
dial any numbers other than 800, which you could do when
the power was on anyways.

Onto the exploits....

First what you have to do is either cut the power to the 
Millennium, or find one with the power out. The first option
is the most likely of the two. It was out of pure luck that
I found the payphones with the power out. Just be VERY VERY
careful when snipping the power. Make sure you've got rubber
gloves, the wire cutters have rubber handles etc. If you fry
yourself because of this, IT'S YOUR OWN DAMN FAULT!! DON'T

Now for the real exploit stuff....

The numbers are only dissabled on the physical key-pad. This 
means that we can pull out our trusty tone dialer, and dial 
away any number we please. I actually didn't have a tone 
dialer with me, so I used a mini-audio recorder. To use the 
audio recorder, you just dial 18 and then press record, and 
dial the rest of the numbers with the mic up to the ear piece. 
Then, hang-up, and play the tones back into the phone.

NOTE: The tones must be played as fast as possible. This is
due to the dial-tone going dead in around 10 to 15 seconds.

The second exploit is based on the line seizing exploit on 
the Protel's which The Clone found awhile back. With the power
out, the Millennium no longer protects against this attack.
This means that you can dial a 800 number that will drop you 
to a dial-tone, and will be able to use it. You can also 
try phoning up the operator and pissing her off so much that
she hangs up, therefor giving you an unlimited dial-tone once
again. Once you get this dial-tone, you can dial any number
your little heart desires.

How exactly do I turn the power off without cutting lines?....

This was the most common question after originally writing
this file. I found the answer to this from Kybo_Ren and I 
would like to thank him for it.

Here's the solution for the phones on pedestals and in booths.
Walk up to the phone. See that nice little Bell sign at the 
top? The one that lights up at night? Pry that off. Behind
that there is a little breaker switch. Flip the switch and
voila, the power is out, and you can carry out this exploit.

Outro/Shouts/To Come....

Well, that's it kiddies! Have fun! This is only the FIRST of
MANY files to come in the near future on the Millennium Pay-
phones which have spread across Canada like a technological
plague. Kinda interesting new frontier of phones though. The
Telcos are actually getting somewhat smarter. Who'd of ever 

Shouts out to The Clone, Cyb0rg/asm, Kybo_Ren, and Niteshade.

-- PsychoSpy
   ICQ#: 5057653


Updated: 11/21/00

