***** BIOC Agent 003 's tutorial in ***

=======================================
*        =HACKING THE HP2000=         *
=======================================

PREFACE
-------

   The purpose of this tutorial is to give  potential hackers
useful information about Hewlett-Packard's HP2000 systems. The
following notation will be used throughout this tutorial:

<CR> - carriage return, RETURN, ENTER, etc.  
>C   - a control character (control-C in example)
CAPITAL LETTERS - computer output & user input

SYSTEM INFORMATION 
------------------

   Each HP2000 system can support upto 32 users in a Timeshared
BASIC (TSB) environment.  The systems usually run a version of
Hewlett Packard's Timeshared/BASIC 2000 (various Levels).


LOGON PROCEDURE 
---------------

   Once connected to a HP2000, type a numeral followed by a
<CR>.  The system should then respond with:PLEASE LOG IN. If it
does not immediately respond keep on trying this procedure until
it does (they tend to be slow to respond).

   User ID:  The user id consists of a letter followed by 3
digits, eg, H241.

   Password:  The passwords are from 1 to 6 printing and/or
non-printing (control)characters.  The following characters will
NOT be found in any passwords so don't bother trying them:  line
delete (>X), null (> ), return (>M), linefeed (>J), X-OFF (>S),
rubout, comma (>L), space (>), back arrow (<-), & underscore
(?).  HP also suggests that >E is not used in passwords (but I
have seen it done!).

   The logon format is:  HELLO-A123,PASSWD

   Where:  HELLO is the login command.  It may be abbreviated to
HEL.  A123 is the user id & PASSWD is the password.

   The system will respond with either ILLEGAL FORMAT or ILLEGAL
ACCESS depending upon whether you screwed up the syntax or it is
an invalid user id or password. The messages:  PLEASE LOG IN,
ILLEGAL FORMAT, & ILLEGAL ACCESS also help you identify HP2000
systems.

   The system may also respond with ALL PORTS ARE BUSY NOW -
PLEASE TRY AGAIN LATER or a similar message.  One other
possibility is NO TIME LEFT which means that they have used up
their time limit without paying.

   Unlike other systems where you have a certain amount of tries
to login, the HP2000 system gives you a certain time limit to
logon before it dumps you. The system default is 120 seconds (2
minutes).  The sysop can change it to be anywhere between 1 and
255 seconds, though.  In my experience, 120 seconds is
sufficient time for trying between 20-30 logon attempts while
hand-hacking & a much higher amount when using a hacking
program.

USERS
-----

   The various users are identified by their user id (A123) &
password.  Users are also identified by their group.  Each group
consists of 100 users.  For example, A000 through A099 is a
group, A100 through A199 is another group, & Z900 through Z999
is the last possible group.  The first user id in each group is
designated as the Group Master & he has certain privileges.  For
example, A000, A100,...H200..., & Z900 are all Group Masters.
The user id A000 is known as the System Master & he has the most
privileges (besides the hardwired sysop terminal). The library
associated with user Z999 can be used to store a HELLO program
which is executed each time someone logs on.

   So, the best thing to hack on an HP2000 system is the System
Master (A000) account.  It is also the only user id that MUST be
on the system. He logs on by typing: HEL-A000,PASSWD.  You just
have to hack out his password. If you decide to hack Z999, you
can create or change the HELLO program to give every user your
own personal message every time he logs on!  This is about all
you can do with Z999 though since it is otherwise a
non-privileged account.

LIBRARY ORGANIZATION
--------------------

   Each user has access to 3 levels of libraries:  his own
private library, a group library, and the system library. To see
what is in these libraries you would type:  CATalog, GROup, &
LIBrary respectively (all commands can be abbreviated to the
first 3 letters). The individual user is responsible for his own
library and maintaning all the files.  If a program is in your
CATALOG,then you can change it.

;Group Masters=

   Group Masters (GM) are responsible for controling all
programs in the Group libraries.  Only members of the group can
use these programs.  These are viewed by typing GROUP.  For
example, user S500 controls all programs in the Group library of
all users beginning with id S5xx.  Other users in the group
CANNOT modify these programs.  All programs in the group library
are also in the Group Masters private library (CATALOG),
therefore he can modify them!  The Group Master also has access
to 2 privileged commands.  They are: PROtect & UNProtect.  With
PROTECT, the Group Master can render a program so it cannot be
LISTed, SAVed, CSAved, PUNched to paper tape, or XPUnched. For
example, if the GM typed PRO-WUMPUS,  other users in the group
would be able to RUN WUMPUS but they would not be able to list
it. The GM can remove these restrictions with the UNProtect
command.

;System Master=

   There is exactly one System Master (SM) and his user id is
A000.  He can PROTECT & UNPROTECT programs in the System
Library.  All users have access to these files by typing LIBRARY
to view them.  Only the System Master can modify these files
since his private library & group library constitute the
Library.  The SM also has access to other privileged commands
such as:

   DIRECTORY:  this command will printout all files and programs
stored on the system according to users. DIR will print out the
entire directory.  DIR-S500 will start listing the directory
with user S500.

example:

DIR
 BOCES ED 1   053/84   1243

 ID    NAME    DATE    LENGTH   DISC     DRUM 
A000  ALPHA   043/84    00498  001384 
      BCKGMN  053/84    04564  001526 
      FPRINT  053/84    00567  002077 
      STOCK   038/84    04332  002753 
      TFILE   020/83 F  00028  002804 
      WUMPUS  053/84 P  02636  003142 
B451  BLJACK  316/75    03088  011887 
      GOLF    316/75    02773  011911 
S500  GIS     050/84 C  03120  019061 
      GISCL4  050/84 F  03741  022299 
Z999  HELLO   021/84    00058  011863

   In this example, the system name is BOCES ED 1.  The date of
the printout is the 53rd day of 1984 (053/84) and the time is
12:43 (24-hr).  The files appearing under A000 are those in the
System Library.  The DATE associated with the program is the
date it was last referenced.  The LENGTH is how long it is in
words.  DISC refers to its storage block location on one of the
hard drives. DRUM refers to its location on the drum storage
unit.  Only sanctified programs are stored on a drum to increase
their access time.  The letters after the date refer to F if it
is a file, P means it is protected, and C means the program is
compiled.  In the example the system program, WUMPUS, was last
used on the 53rd day of 1984 (2-22-84); it is currently
unlistable (PROtected) and it occupies 2636 words of memory
starting at disc block 3142.  The command SDIrectory will print
out programs that are only stored on drum. Most system
directories are usually longer than the example.  The above
example is an abridged version of a 43 page directory!  The
<BREAK> key will STOP the listing if necessary.


   REPORT

   The REPORT command will show the USER id, how much terminal
TIME they have used since the last billing period (in minutes),
and how much disc SPACE they are using.

example:

REPORT
     BOCES ED 1 055/84    1905

 ID  TIME  SPACE     ID  TIME  SPACE     ID  TIME  SPACE
A000 01150 12625    B451 00003 05861    B864 00000 00000
S500 00235 06861    S543 00421 00000    Z999 00000 00058

The advantage of hacking the A000 password first is that you can
use the privileged commands to see which which user id's exist
and what programs are stored where so that you can further
penetrate the system.


   PORT

   This command tells the character size and baud rate at which
each of the 32 ports are configured.  It is in the format c-bbb,
where c=character size & bbb=baud rate.  It is set up in columns
of 8.  The first row corresponds to ports 0-7, the second row
corresponds to 8-15, etc.  This is generally useless in my
opinion.  Also, the ports are usually only configured separately
if the terminals are all hard-wired.


   STATUS

   This command allows the SM to view information concerning the
mass-storage devices.  It gives current locations of the ID
table, user swap areas, line printer status, etc.  It tends to
hold alot of info if it is read correctly. Unfortunately, I
don't have the room to fully discuss it here.

   Since all logins & logouts are printed at the system console
along with other pertinent information, I would strongly suggest
that you avoid extensive use of an A000 password if you find
one.


NON-PRIVILEGED COMMANDS
-----------------------
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

   LIBRARY - lists the system programs. There is only 1 system
library & any user can access it.  example:

LIBRARY
 NAME    LENGTH    NAME    LENGTH
ALPHA       498    BCKGMN     4564  
FPRINT      567    STOCK      4332
TFILE  F     28    WUMPUS P   2636

   This uses the same notation as the privileged DIRECTORY
command.

   To retrieve a program from the system library, you would
type:

   GET-$NAME(To load the STOCK program,you would type
GET-$STOCK)

   You can then RUN or LIST it.  If you attempted to LIST WUMPUS
which is PROTECTed (P), it would say RUN ONLY.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-

   GROUP - lists all files in your group. It is in the same
format as the LIBRARY command.

   To retrieve a program from your group library, you would
type:

     GET-*NAME
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

   CATALOG - lists all files in your personal library.  It is
also in the same format as the LIBRARY command .

   To retrive a program in your personal library, you would
type:

     GET-NAME
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

   Other commands you can use with your personal files (or
system files if logged on as A000) include:

RUN             runs the program in the user swap area (memory)
LIST            lists the program in the user swap area 
SAVE-NAME       NAME may be upto 6 characters
CSAVE-NAME      save in compiled form
NAME-NAME       assign a name to it
KILL-NAME       deletes a file from your library
PUNCH           punches a program onto paper tape
TAPE            input a paper tape     
APPEND-NAME     attaches the file NAME to current program in
                memory
LENGTH          tells the current length of program in memory
LPRINTER        designates the line printer as user output device
OPEN            creates a file ;OPEN- FILE,# of records,
                (record lengths)=
RENUMBER        renumbers statements ;REN-(1st statement #),
                (interval between statements),(# to start
                renumbering at),(# to end renumbering)=

   NOTE:  All commands can be abbreviated to the first 3
characters.  The main command is separated from the first
parameter by a dash (-), the first parameter is separated by the
second parameter by a comma (,), and all further parameters are
separated by commas. E.G., HEL-A000,>C (I did actually find a
system where the SM password was >C).

OTHER USEFUL COMMANDS
---------------------

BYE        logs user off
ECHO-ON    half-duplex
    -OFF   full-duplex (default)
SCRATCH    clears users swap area
(NEW)
KEY        transfers control to keyboard from paper tape, etc.
TIME       informs user of total connect time & console time
MESSAGE    sends a message to sysop console:
           MES-(text up to 68 chars)

TSB 2000
--------

   The programming of the system is above the scope of this
tutorial. If you do manage to get into the A000 or Z999
accounts, there is sufficient info provided in this text to help
you manipulate the data. The BASIC is rather extensive. The file
commands are excellent and you can mask files so that NOBODY can
read them without thhe proper mask. Briefly, it is similiar to
most other BASIC's. If you want, order their programming manual.
It is called 20854A Timeshared BASIC/2000, Level F (part #
02000-90073).

   NOTE: There are different levels (versions) of TSB/2000. This
article is based primarily of Level F. Most of the levels are
similiar in their commands so the differences should not affect
the hacker. Also, some systems are customized. EG, one system I
know doesn't have the MESSAGE command because they don't want
the operator bothered with messages. Another system says ???
instead of PLEASE LOG IN and ILLEGIAL instead of ILLEGIAL
ACCESS. These are trivial problems, though.

PROGRAMS
--------

   Hewlett-Packard often supplies programs from their TSB
Library for the systems. Utilities ssuch as ASCII*, FPRINT, and
others are almost inevitably found on every system. Standard
games such as WUMPUS, STOCK, LUNAR, and many others are also a
'system must'. Other companies offer very large programs for the
HP2000 also. GIS (Guidance Infoormation Systems) is a database
to help guidance counselors help students to select colleges,
jobs, financial aid, etc. GIS is usually found in the S5xx group
library (anyone with a S5xx password can use it). Unfortunately,
sometimes these programs are set so that a certain password will
automatically RUN them. In some cases you can abort by pressing
the <BREAK> key. There is a BASIC function ;X=BRK(0)= that
disables the <BREAK> key. In this case, only the Sysop or the
program can throw you into BASIC.

   There are many alleged bugs on the HP2000 that allow users to
do all sorts of things.

   I have seen one system that consisted of 2 HP2000's running
together. In this case, the multiplexer would first ask the user
SYSTEM 1 OR SYSTEM 2? before logging in. You would then type
SYS1 or SYS2.

   Most of the HP2000 systems are used by schools, school
districts, BOCES, and various businesses. This was an ideal
system for schools before micro-computers existed. The HP2000
system has been in existence since around 1973. It has been
replaced by the HP3000 but there are still many HP2000 systems
in existence and I believe that they will stay there for awhile.

Yours Truly,

*****BIOC
*=$=*Agent
*****003           Knights of Shadow
                   <<=-FARGO 4A-=>>
