preface
-------
the purpose of this tutorial is to give potential hackers useful information
about hewlett-packard's hp2000 systems. the following notation will be used
throughout this tutorial:
- carriage return, return, enter, etc.
^c - a control character (control-c in example)
capital letters - computer output & user input
system information
------------------
each hp2000 system can support upto 32 users in a timeshared basic (tsb)
environment. the systems usually run a version of hewlett packard's
timeshared/basic 2000 (various levels).
logon procedure
---------------
once connected to a hp2000, type a numeral followed by a . the system
should then respond with: please log in. if it does not immediately respond
keep on trying this procedure until it does (they tend to be slow to
respond).
user id: the user id consists of a letter followed by 3 digits, eg, h241.
password: the passwords are from 1 to 6 printing and/or non-printing
(control) characters. The following characters will not be found in any
passwords so don't bother trying them: line delete (^x), null (^@),
return (^m), linefeed (^j), x-off (^s), rubout, comma (^l), space (^),
back arrow (<-), & underscore (_). hp also suggests that ^e is not used
in passwords (but i have seen it done!).
the logon format is: hello-a123,passwd
where: hello is the login command. it may be abbreviated to
hel. a123 is the user id & passwd is the password.
the system will respond with either illegal format or illegal access
depending upon whether you screwed up the syntax or it is an invalid user
id or password.
the messages: please log in, illegal format, & illegal access also help you
identify hp2000 systems.
the system may also respond with all po rts are busy now - please try
again later or a similar message. one other possibility is no time left
which means that they have used up their time limit without paying.
unlike other systems where you have a certain amount of tries to login,
the hp2000 system gives you a certain time limit to logon before it dumps
you. the system default is 120 seconds (2 minutes). the sysop can change
it to be anywhere between 1 and 255 seconds, though. in my experience, 120
seconds is sufficient time for trying between 20-30 logon attempts while
hand-hacking & a much higher amount when using a hacking program.
users
-----
the various users are identified by their user id (a123) & password.
users are also identified by their group. each group consists of 100
users. for example, a000 through a099 is a group, a100 through a199 is
another group, & z900 through z999 is the last possible
groups @"!2%IMQ*MIJJ9*!:I=UA5R`is designated as the group master & he has
certain privileges. for example, a000, a100,...h200..., & z900 are all
group masters. the user id a000 is known as the system master & he has the
most privileges (besides the hardwired sysop terminal). the library
associated with user z999 can be used to store a hello program which is
executed each time som eone logs on.
so, the best thing to hack on an hp2000 system is the system master (a000)
account. it is also the only user id that must be on the system. he logs
on by typing: hel-a000,passwd. you just have to hack out his password. if
you decide to hack z999, you can create or change the hello program to
give every user your own personal message every time he logs on! this is
about all you can do with z999 though since it is otherwise a
non-privileged account.
library organization
--------------------
each user has access to 3 levels of libraries: his own private library, a
group library, and the system library. to see what is in these libraries
you would type: catalog, group, & library respectively (all commands can
be abbreviated to the first 3 letters). the individual user is responsible
for his own library and maintaning all the files. if a program is in your
catalog, then you can change it.
[group masters]
sgroup masters (gm) are responsible for controling all programs in the
group libraries. only members of the group can use these programs. these
are viewed by typing group. for example, user s500 controls all programs
in the group library of all users beginning with id s5xx. other users in
the group cannot modify these programs. all programs in the group library
are also in the group masters private library (catalog) , therefore he can
modify them! the group master also has access to 2 privileged commands.
they are: protect & unprotect. with protect, the group master can render a
program so it cannot be listed, saved, csaved, punched to paper tape, or
xpunched. for example, if the gm typed pro-wumpus, other users in the
group would be able to run wumpus but they would not be able to list it.
the gm can remove these restrictions with the unprotect command.
[system master]
there is exactly one system master (sm) and his user id is a000. he can
protect & unprotect programs in the system library. all users have access
to these files by typing library to view them. only the system master can
modify these files since his private library & group library constitute
the system library. the sm a6)o has access to other privileged commands
such as:
directory: this command will printout all files and programs stored on the
sysBem according to users. dir will print out the entire directory.
dir-s500 will start listing the directory with user s500.
example:
dir
boces ed 1 053/84 1243
id name date length disc
drum
a000 alpha 043/84 00498 001384
bckgmn 053/84 04564 001526
fprint 053/84 00567 002077
stock 038/84 04332 002753
tfile 020/83 f 00028 002804
wumpus 053/84 p 02636 003142
b451 bljack 316/75 03088 011887
golf 316/75 02773 011911
s500 gis 050/84 c 03120 019061
giscl4 050/84 f 03741 022299
z999 hello 021/84 00058 011863
in this example, the system name is boces ed 1. the date of the printout
is the 53rd day of 1984 (053/84) and the time is 12:43 (24-hr). the files
appearing under a000 are those in the system library. the date associated
with the program is the date it was last referenced. the length is how
long it is in words. disc refers to its storage block location on one of
the hard drives. drum refers to its location on the drum storage unit.
only sanctified programs are stored on a drum to increase their access
time. the letters after the date refer to f if it is a file, p means it is
protected, and c means the program is compiled. in the example the system
program, wumpus, was last used on the 53rd day of 1984 (2-22-84); it is
currently unlistable (protected) and it occupies 2636 words of memory
starting at disc block 3142. the command sdirectory will print out
programs that are only stored on drum. most system directories are usually
longer than the example. the above example is an abridged version of a 43
page directory! the key will stop the listing if necessary.
report
the report command will show the user id, how much terminal time they
have used since the last billing period (in minutes), and how much disc
space they are using.
example:
report
boces ed 1 055/84 1905
id time space id time space id time space
a000 01150 12625 b451 00003 05861 b864 00000 00000
s500 00235 06861 s543 00421 00000 z999 00000 00058
the advantage of hacking the a000 password first is that you can use the
privileged commands to see which which user id's exist and what programs
are stored where so that you can further penetrate the system.
port
this command tells the character size and baud rate at which each of the
32 ports are configured. it is in the for mat c-bbb, where c=character
size & bbb=baud rate. it is set up in columns of 8. the first row
corresponds to ports 0-7, the second row corresponds to 8-15, etc. this
is generally useless in my opinion. also, the ports are usually only
configured separately if the terminals are all hard-wired.
status
this command allows the sm to view information concerning the mass-storage
devices. it gives current locations of the id table, user swap areas, line
printer status, etc. it tends to hold alot of info if it is read correctly.
unfortunately, i don't have the room to fully discuss it here.
since all logins & logouts are printed at the system console alonNY:
%Q!zQ!I5R`pertinent information, i would strongly suggest that you avoid
extensive use of an a000 password if you find one.
the system operator has access to alot of other commands. unfortunately,
he is situated at the system console which is hard-wired to the computer.
if anyone figures out a way to give a remote user sysop privileges, let me
know & i can help you with his commands.
non-privileged commands
-----------------------
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
library - lists the system programs. t here is only 1 system library & any
user can access it.
example:
library
name length name length na me length name length
alpha 498 bckgmn 4564 fpr int 567 stock 4332
tfile f 28 wumpus p 2636
this uses the same notation as the privileged directory command.
to retrieve a program from the system library, you would type:
get-$name (to load the stock program, you would type get-$stock)
you can then run or list it. if you at tempted to list wumpus which is
protected (p), it would say run only.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
group - lists all files in your group. it is in the same format as the library
command.
to retrieve a program from your group library, you would type:
get-*name
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
catalog - lists all files in your personal library. it is also in the same
format as the library command
to retrive a program in your personal library, you would type:
get-name
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
other commands you can use with your personal files (or system files if
logged on as a000) include:
run runs the program in the user swap area (memory)
list lists the program in the user swap area
save-name name may be upto 6 characters
csave-name save in compiled form
name-name assign a name to it
kill-name deletes a file from your library
punch punches a program onto
paper tape
tape input a paper tape
append-name attaches the file name to current program in memory
length tells the current length of program in memory
lprinter designates the line printer as user output device
open creates a file [open-file,# of records, (record lengths)]
renumber renumbers statements
[ren-(1st statement #),
(interval between statements),(# to start renumbering at), (# to end
renumbering)]
note: all commands can be abbreviated to the first 3 digits. the main
command
is separated from the first parameter by a dash (-), the first
parameter
is separated by the second parameter by a comma (,), and all further
parameters are separated by commas. eg, hel-a000,^c (i did actually
find a system where the sm password was ^c).
other useful commands
---------------------
bye logs user off
echo-on half-duplex
-off full-duplex (default)
scratch clears users swap area (new)
key transfers control to keyboard
time informs user of total connect time & ,M[9ole time
message sends a message to sysop console [mes-(text upto 68 chars)]
tsb 2000
--------
the programming of the system is above the scope of this tutorial. if you
do manage to get into the a000 or z999 accounts, there is sufficient info
provided in this text to help you manipulate the data. the basic is rather
extensive. the file commands are excellent & you can mask files so that
nobody can read them without the proper mask ( i have already cracked this
code, though!). briefly, it is similar to most other basic's. if you
want, order their programming manual. it is called 20854a timeshared
basic/2000, level f (part # 02000-90073).
note: there are different levels (versions) of tsb/2000. this article is
based primarily on level f. most of the levels are similar in their
commands so the differences should not affect the hacker. also, some
systems are customized. eg, one system i know doesn't have the message
command because they don't want the operator bothered with messages.
another system says ??? instead of please log in and illegal instead of
illegal access. these are only trivial problems, though.
programs
--------
Hewlett-packard often supplies programs from their tsb library for the
systems. utilities such as ascii*, fprint, & others are almost inevitably
found on every system. standard games such as wumpus, stock, lunar, & many
others are also a "system must." other companies offer very large programs
for the hp2000 also. gis (guidance information systems) is a database to
help guidance counselors help students to select colleges, jobs,
financial aid, etc. gis is usually found in the s5xx group library (anyone
with an s5xx password can use it). unfortunately, sometimes these pr
ograms are set so that a certain password will automatically run them. in
some cases you can abort by pressing the key. there is a basic
func tion [x=brk(0)] that disables the key. in this case, only the
sysop or the program can throw you into basic.
there are many alleged bugs on the hp20 00 that allow users to do all
sorts of things. if you run across any of these be sure to let me know.
i have seen one system that consisted of 2 hp2000's running together. in
this case, the multiplexer would first ask the user system 1 or system 2?
before logging in. you would then type sys1 or sys2.
most of the hp2000 systems are used by schools, school districts, boces,
and various businesses. this was an ideal system for schools before
micro- computers existed. the hp2000 system has been in existance since
around 1973. it has been replaced by the hp3000 but there are still many
hp2000 systems in existance & i believe that they will stay there for
awhile.
here are the dial-ups to a few hp2000 s ystems to get you started:
[314/xxx-xxxx]
[203/xxx-xxxx]
[312/xxx-xxxx]
if you need help with anything on an hp 2000 or find other hp2000 systems,
feel free to ask me. any comments, corrections, and/or threats are also
welcome.
yours truly,
*****bioc
*=$=*agent
*****003
<=-fargo 4a-=>>
(>rrections, and/or threats are also welcome.
Downloaded from..
The Lost City of Atlantis
. _ . __ |\ _ .
. .__ =| |[] |# |# ._ .
...##.=|.|[].|#:|#.|=|...
- -- --- ------------ --- - -
703 - xxx - xxxx