ulTRAX'S ARCHIVE

PRANKS & HUMOR



UK HACK: APRIL FOOLS '99
INTRO

Created: 4-1-99. Updated 9-15-2000. Page design and Entire Site © ulTRAX@webtv.net.


~ PRANKS & HUMOR INDEX ~

INTRODUCTION: Just when it seems there are no secrets left from the old hacking group I used to belong, there is one more... a secret project that only Mattman and I worked on. It may have been the most ambitious hacking project to date.

Last summer it was an accomplishment to get around in the browser using WTV codes and commands. But late last summer and fall '98 all this changed. We were learning it was possible to navigate though the WTV network... not to just connect with various WTV servers like Weekly and Daily, but to go international!

The first piece of the puzzle came in August. JG, attempting to help me out of Testdrive, had instructed me to go to Killer Willie, load any external Plus build, then do 32678 power off trick which would cause the box to go "scriptless" (without a tellyscript). At that point the newly loaded external build would request from WTV a new list of Client:ShowService IPs for the Production service. Once that happened I'd no longer be connected to TD.... like I was ready to leave lol. An implication of this trick was to explain of how we all got connected to TD to begin with!! I had an internal build which I had downloaded from BIG WILLIE. It seemed to run fine off the production server until, in my experimenting with login commands, I caused the box to poweroff then to redial the 800 number. When I logged back on I was in TestDrive.

IPF:Last fall we learned it was possible to use the IP:port/file (IPF) to access the TRICKS sections of numerous WTV servers, including that of the UK and Japan services. Among other things were lists of internal and external builds designed specifically for export. (By law the Export builds were required to have less robust encryption than the 128 bit encryption found in the US. This encryption is used in SSL transactions, for secure credit card transactions, etc. and is classified as a munition.)

We made a few assumptions at this point. The first was that whatever build we downloaded would contain within it a dialup number where it could access the Client:ShowServices list necessary to connect to any webtv server we chose. If we could get that IP list... and connect with our own POP dialup... we'd have the ability to be connected to another WTV network using our local dialup.

But what service to connect to? Even if we did connect to the Japanese Network, the browser would be not only getting Japanese characters which we wouldn't be able to read... but since our browser probably did not have the correct ISO international character sets, even if we COULD read Japanese, the characters would not load properly. (Actually, we still do not know if the ISO character sets are in ROM or part of a downloaded build.) What REALLY concerned us was that even if we successfully downloaded a Japanese build, we might never be able to figure out how to get the hell out of the Japanese service. How would we find our way around? Losing a box in this manner seemed too expensive an experiment.... even if our account files would still be intact on the US servers.

It seemed that unless we could find the Canadian service first, we would have to go with the UK. That we assumed could easily be done by downloading a UK build from the UK Killer Willie.... or what is probably the US test version of the UK service. A some point I'll have to do an Internic or RIPE search for the domain's owner.

The next problem we anticipated was having to register as new subscribers since there obviously would be no record of our user names/accounts #s on the UK servers. This would be no problem here in the states. It seemed that since the TRICKs Break-in in August... one could no longer just connect with TD but had to reregister as a new subscriber would. This might have been because some of our accounts had already been on the US TD server. Why that should have been, who knows. But when I first got to TD I found recent mail waiting for me. If I now try to mail ulTRAX@testdrive.webtv.net the letter will bounce.

Getting a POP to connect to also seemed problemmatic. If we entered a semi-legitimate UK phone number (and we'd have to do a web search to see if they differed from the north american x-xxx-xxx-xxxx standard) the initial calls to the UK POP would be at costly trans-atlantic rates.

Our other hope was that the WTV UK network used and Automatic Number Identification (ANI) System and would have no problems detecting and making sense of stateside phone numbers. This phone number formatting seemed critical. For an example there is a WTV ANI page for the Japanese service which refuses to ackowledge north-american phone numers as valid. That page can be found here. The gifs on the page don't load because they are linked to the wtv-800:/ service which is only used during registration. These wtv-1800 IPs are not included on our Client:ShowServices IP list. Note the example used for the phone number differs from this one.

If we were really lucky the UK ANI system might connect us with our own local POP dialups... that is if these US numbers were even in the UK POP DataBase.... a real longshot. If not we'd have to eat the cost of the long distance call... connect to the UK, then access the file://rom/htmls/AccessNumber page and override whatever British POP number was assigned us.

Matt and I divided the work. While he tried a direct connect to see what the ANI system might do I poked around in an on-line phone directory for a suburb of London... finally settling on the phone number for Lancaster Coal and Ice Ltd.. Just to be on the safe side I altered the last two digits.

CONNECTING TO UK: Playing it safe I downloaded a an old Plus UK 2.1 external build. I chose 2.1 so I could have access to javascript in the GoTo. I blasted my NVRam and relogged on. Sure enough my box attempted to dial a British POP number, but since the WTV server assumed I was IN Britian, the number provided lacked the international dialing prefix and the call did not go though. I powered off, used the 217 code, then simply added the code for England in the "prefix" box in Phone Setup.

Connecting to the UK service, which I don't believe was fully operational yet, was nearly identical to connecting to the US WTV service... several differences.... I needed to provide a postal (not a zip) code, and monthly subscripion fees were listed in pounds, not dollars. In the background was a cheezy midi of "God Save The Queen" or possibly "Hail Britanica".

After registration my main login screen had my only my ulTRAX user name set up as the primary user. Once in my account I discovered that the Homepage was familar but had a distinct British flavor. In the 60:40 ad panels were links to the BBC and the other had information on the new Euro currency startup (remember this was in November). As could be expected I had no mail or FAV files. I quickly wrote mattman (and cc:ed myself) a letter. It had a return @webtv.net.uk address.

Knowing that the long distance charges were adding up I tried to go to the British version of STOCKS but soon remembered that 2.1 did not have MyWebTV. So I was forced to use javascript in the GoTo to access file:/rom/htmls/AccessNumber page where I entered in my local POP number. I then hung up, used 217 PowerOff to get rid of the international dialing prefix, and reconnected. It worked!

THE BRITISH SERVICE:One of the first things I did was try and access TRICKS. I started with Big WIllie. There I downloaded the 62 part 2.7.5 internal build. (Derby is still being tested for 2.6) It took nearly an hour. I was not prepared for what I got. For one thing, unlike the US counterpart there was no password prompt at TRICKS and I was greeted by an array of options not seen on the US TRICKS page. Maybe I could have gotten this using the 2.1 external but I hadn't tried. That there was no password might seem odd but remember that the UK service was probably only in beta at the time and available only to tech staff, testers, and licencees. What was even MORE surprising was that there was no PW to get to a second TRICKS index page.

What immediately caught my eye there were several options there for pages called KILLER WINNIE UK 1-3. The name threw me for a moment until I realized it was probaby a tribute to the late Winston Churchill.





There were internal builds I could only guess what they did: 0.5 Black_Ops R&D Apps, 0.4.1 Developers Debug, 2.9 NovaStar etc.




The 0.X series seemed the most intriguing since there was no such numerical equivalent we knew of... then again we never had access to the second US TRICKS index.

As I explored TRICKS I noticed some of WTV's famous humor did not seem to go over well with the stiff upper-lipped Brits and VEND-A-TELLY and POP-DE-SNITZHEL (sp) had different names: GET-A-TELLY and POP TOUR. As could be expected my stateside home phone did not show up in TRICK-INFO. As for our JIFFY-POP-O-RAMA which had an ANI function, it was simply named POP ACCESS.

In DOWNLOAD-A-RAMA were none of he familiar downloads for US companies or TV networks.





But in GAMES were some options we have not yet seen. Aside from JACK, DOOM and QUAKE were inactive! Matt (who also loaded the same internal build) and I were able to play in deathmatch mode against each other. The frame rate and the reaction time was acceptable. I wiped him out lol.

Back in mail and in newsgroups we discovered there was a Conferencing option.





Believe it or not the Brits will have access to Net Show Streaming Video Conferencing!! I wrote Matt to hook up his video camera fully expecting him to have his trusty sledghammer handy. We did get streaming duplex sound. But the video section did not work... at least not the picture. This might be probably because the Brits use PAL, a different video broadcast standard than our NTSC videocameras. This incompatibility did not seem to affect any other browser function... but then it's all standard HTML and javascript. The servers sending out the WTV HTML page code don't care whether the final TV monitor is PAL or NTSC... that's up to the box to decode and display. The audio teleconferencing function could also be adapted to an internet phone which plugs into a spare port of the Plus.

On the TV side I did try to download some listings for the London area... but all my attempts to enter in a valid UK postal code got error messages. It's unclear whether this service was up and running at the time.

Matt and I checked out the advanced Chat option. Unlike IRC chat we were able to create an actual VRML (possibly a JAVA ap) Room and choose 3D characters to represent us inside that room. We could virtually approach them and say "Hi" (or "boo!"). One directs chat to another by looking at them. There is an option for streaming audio and another for Text to Speech (much too slow). The VRML must have other applications but I did not get a chance to explore... Of course the box might have actually had JAVA, not VRML, but I never did take the information tours to find out what all the new features were.

BLACK OPS BUILD 0.5 In Killer Winnie there were notices that the Black-Ops builds were only for those with Lever 4 or 5 authorization. Matt was first to download the Black_Ops build for the Plus. It came in 71 parts and took 75 minutes. When he wrote me his address had changed from mattman69#testdrive.webtv.net.uk to mattman69@black_ops.webtv.net.uk.







The Black_Ops builds were not ordinary internal builds. It was lean and sparse on graphics.... meant for business, not glitz. It seemingly was designed to be a link between the WTV subscriber network and the WNI UK intranet. Probably what Consumer Reps and Level 2 (or higher) Techs use. It also seemed to have all the debugging tools we had found in TestDrive, but again they did not seem to work with our consumer boxes which may be lacking a special chipset. Here we had access to corporate memo boards and more.

It was here that we found some of the memos now made public such as this one. Apparently this one memo also made its way on to the web and was picked up by others. There was an internal WTV Tech troubling shooting NG... Notices on child care and public transportation.... oh and some banter about the backdoor being left unlocked... typical corporate stuff.

It seems, however, that our intrusion did not go undetected. About 30 minutes into our exploration of the WNI intranet our boxes simultanously were powered off.... actually I must have gotten booted out first since Matt does have a pic of his attempt to write me. When my box repowered on I was dialing into my assigned UK POP... which, as before, did not have the international dialing prefix. It seemed the gig was up. The only way out now was to reinsert the international dialing prefix in Phone Setup, connect again to the UK, override the UK POP with our own local POP and visit a US Killer Willie to get a US external build.

TO BE CONTINUED