Jump to content


Photo
- - - - -

Phone Phreaking Newbie


  • Please log in to reply
10 replies to this topic

#1 ny0n

ny0n

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 12 posts

Posted 26 August 2006 - 02:08 AM

I think I might get into phone phreaking. where do i start..like...what
should i study in order to be good at phone phreaking. thanks

#2 Strom Carlson

Strom Carlson

    Nub

  • Members
  • 2,575 posts
  • Gender:Male
  • Location:Los Angeles

Posted 26 August 2006 - 07:24 AM

http://stromcarlson....elephony101.pdf

There's a start :)

#3 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,216 posts
  • Gender:Male

Posted 26 August 2006 - 01:57 PM

One of the most crucial parts of the telephone network and phone phreaking are the types of switching equipment that serve dialtone to people throughout the network. To help you understand and identify these types of switching equipment, I'll document some of their behaviors and peculiarities. I'll try to keep the documentation easy to understand, but if I get carried away and make it a bit complicated, don't be afraid to ask a few questions.

Lucent 5ESS
----------------
This, along with the DMS-100 is one of the most common type of switches you'll find in the United States Public Switched Telephone Network. One of the most distinguishing and foremost characteristics in it is the sound of dialtone coming on, which you can hear here. One of the interesting things I've noticed about this switch is that if you get dialtone, and then hang up and pick up at just the right speed, you can hear it make a slightly different sound. The same tick-tick noise that you heard at dialtone can, interestingly enough, be heard on some different calls, such as when it switches you to the recording you get when you leave your phone off the hook. Unfortunately, the only recording I have of this is one of my earlier ones, which I didn't do exactly the best job of recording. Nevertheless, it clearly demonstrates what happens on a 5ESS when you leave your phone off the hook. What it doesn't clearly demonstrate, though, is that on the 5ESS, the first ring you get from it will be for a completely random length of time. This is because the switch moved me from the ring to the recording while it was in the middle of ringing. I recorded a call going to a number telling me to dial one first while I was at it, which gives a clearer demonstration, since the first two rings are uninterrupted, unlike the third. The static you hear before the touchtones is due to the fact that the phone I was using is a very cheaply made phone at my grandmother's house, and it was the best option for recording at the time. Strom Carlson has some excellent recordings of a few other things the 5ESS does, such as how it'll sound if you pick up a payphone that is controlled directly by the 5ESS, the behavior of a 5ESS after a call hangs up on you, and other cool things. All of them can be found here in his trip through Southern California. One of the issues I've found with this system is that if you're calling a Western Electric 1AESS (covered later), you usually don't get to hear the thunk noise of the call connnecting, unless you're going to an intercept system telling you that a number you've reached has been disconnected or Not In Service.

Nortel DMS-100
--------------------
The DMS-100 is a great deal different from the 5ESS. Unlike it, when you pick up your phone, there will be no ticks at all, and the dialtone will seem to just be there. Like the 5ESS, though, you can get it to make a slightly different sound when dialtone comes on, but it works a bit differently. In order to get it to happen, you'll have to pick up your phone, hang it up for a bit longer and pick it up again. The noise isn't as interesting, but you can still hear it here along with my rotary dialing a one into the switch, which as you can hear, makes a burst of dialtone at the end. This doesn't exist in the 5ESS; when you rotary dial a one in a 5ESS, you'll get immediate silence. When you leave your phone off the hook, the DMS-100 will make the first pulse of off-hook tone studder, unlike most other switches, including it's little brother, the DMS-10, which I'll also cover later. Interestingly enough, when you get a busy signal from one, it will go on for exactly thirty pulses, and a reorder will go on for exactly sixty pulses. With other switches, it will ususally go on for a good while. Also, the ring in a DMS-100 and the DMS-10 have the exact timing and will not be on for a random amount of time, unless it is interupted by something picking up. Some of the DMSes software versions can make rather amusing bugs occur, such as the one demonstrated here. After a repetition of the recording telling you to unblock your caller ID, the DMS will interrupt the recording in the middle of the repetition and give me the All Circuits Busy message. Had I not been calling a number assigned to the recording itself, and rather, blocking my Caller ID to a number that didn't accept annonymous calls, it would have started to ring in the middle of the second repetition, and would start ringing the phone number anyways! If you would like to experience this error in realtime, call 434-975-9999. Regardless of if you're blocking your Caller ID or not, it will give you that error message and then you'll get my All Circuits Busy recording. Similar things happen with other numbers as well, such as with 800 numbers, when the other person hangs up, my switch in particular will forward me to a recording telling me that to complete my call, I have to dial atleast seven digits.

Western Electric 1AESS
----------------------------
By far, this is most definetly my favorite switch in the United States Public Switched Telephone Network. I won't get into all the details of the transition between the 1ESS, or how Western Electric became Lucent eventually, as they're available elsewhere. Although admittedly, I have never, ever dialed out from one of these, I can say that it is somewhat similar to the 5ESS, but they still have their good share of differences between them. First off, the 1AESS is a ways off from modern techonology. It uses magnetic-latching relays to complete calls, tell when calls supervise(answer and charge), and pretty much everything else aside from get call data from other switches, generate caller id tones, using it's 3-way capabilities, and call waiting. I don't have any way of knowing how Caller ID works with the 1AESS, but I believe the 1A processor in the switch will input the data into a hardware device that will cut into the call before the person picks up, and use that to generate the Caller ID tones, unlike with modern switches, which will generate it entirely with software. Since it uses relays to switch calls, you get to hear a thunk noise as it lets you onto the call, as demonstrated in 804-291-9950, and another when the call charges, which isn't heard in that number, as the call doesn't charge. To sum it up shortly, these switches have a random timing on the first ring, will click and start ringing immediately when you call a ringing number, although you can't always hear it, especially if you're dialing out from a 5ESS, they'll stop the dialtone immediately after dialing a digit, and do not studder when the offhook tone is put onto your line. Also, if you're lucky enough, you'll get to hear crosstalk from other calls bleeding in onto the line, because of the relay that's switching your call being close enough to other in-use relays for the electromagnetic signal to be able to come through onto it. By far, the best example of this I've found is the number 214-946-9990. Calling in the daytime is reccommended, since you'll have a better chance of having more numbers in use, therefore increasing the chance of crosstalk. Although this may not be true of all of these left in the US PSTN, the two closest to me are in *very* bad neighborhoods, hence why I haven't touched one yet. They can be found in a few states in the Mid-West as well as most Southern states.

Stromberg Carlson DCO
------------------------------
This little switch is used widely by the independent companies in the US and is now produced by Siemens, along with the lesser known Siemens EWSD. Although I haven't dialed out from one, I'm positive this switch has random timing on it's first ring.

Nortel DMS-10
------------------
This is essentially a smaller version of the Nortel DMS-100, with different hardware to go with it. Although I have never dialed out from one, two things I am sure of is it has exact timing on it's first ring and has a strange modulation in it's offhook tone.

Automatic Electric GTD-5 EAX
------------------------------------
This is a fully digital switch that was once made by Automatic Electric, the manufacturing arm of GTE. It is currently supported and manufactured by Lucent. You'd be better off asking Strom about this one. He's dialed out from a few, as well as made recordings of it.


Hopefully, I haven't talked your ear off too much. If you still have trouble figuring out what switch serves your line, bellsmind.net can tell you ;) .

EDIT: I was a bit hasty in finishing this up around the end, as some people may be able to tell. I may edit this again later to correct any errors I find, or add a bit more if possible.

Sources:
Strom Carlson's Socal Trip
Evan Doorbell's "Permanent Signal Recordings tape"
Evan Doorbell's "How I became a Phone Phreak, part three" tape
OTH interview with Joybubbles
My own exploration throughout the network

Edited by ThoughtPhreaker, 30 August 2006 - 11:06 PM.


#4 invision620

invision620

    Dangerous free thinker

  • Members
  • 767 posts
  • Gender:Not Telling

Posted 26 August 2006 - 02:41 PM

One of the most crucial parts of the telephone network and phone phreaking are the types of switching equipment that serve dialtone to people throughout the network. To help you understand and identify these types of switching equipment, I'll document some of their behaviors and peculiarities. I'll try to keep the documentation easy to understand, but if I get carried away and make it a bit complicated, don't be afraid to ask a few questions.

Lucent 5ESS
----------------
This, along with the DMS-100 is one of the most common type of switches you'll find in the United States Public Switched Telephone Network. One of the most distinguishing and foremost characteristics in it is the sound of dialtone coming on, which you can hear here. One of the interesting things I've noticed about this switch is that if you get dialtone, and then hang up and pick up at just the right speed, you can hear it make a slightly different sound. The same tick-tick noise that you heard at dialtone can, interestingly enough, be heard on some different calls, such as when it switches you to the recording you get when you leave your phone off the hook. Unfortunately, the only recording I have of this is one of my earlier ones, which I didn't do exactly the best job of recording. Nevertheless, it clearly demonstrates what happens on a 5ESS when you leave your phone off the hook. What it doesn't clearly demonstrate, though, is that on the 5ESS, the first ring you get from it will be for a completely random length of time. This is because the switch moved me from the ring to the recording while it was in the middle of ringing. I recorded a call going to a number telling me to dial one first while I was at it, which gives a clearer demonstration, since the first two rings are uninterrupted, unlike the third. The static you hear before the touchtones is due to the fact that the phone I was using is a very cheaply made phone at my grandmother's house, and it was the best option for recording at the time. Strom Carlson has some excellent recordings of a few other things the 5ESS does, such as how it'll sound if you pick up a payphone that is controlled directly by the 5ESS, the behavior of a 5ESS after a call hangs up on you, and other cool things. All of them can be found here in his trip through Southern California. One of the issues I've found with this system is that if you're calling a Western Electric 1AESS (covered later), you usually don't get to hear the thunk noise of the call connnecting, unless you're going to an intercept system telling you that a number you've reached has been disconnected or Not In Service.

Nortel DMS-100
--------------------
The DMS-100 is a great deal different from the 5ESS. Unlike it, when you pick up your phone, there will be no ticks at all, and the dialtone will seem to just be there. Like the 5ESS, though, you can get it to make a slightly different sound when dialtone comes on, but it works a bit differently. In order to get it to happen, you'll have to pick up your phone, hang it up for a bit longer and pick it up again. The noise isn't as interesting, but you can still hear it here along with my rotary dialing a one into the switch, which as you can hear, makes a burst of dialtone at the end. This doesn't exist in the 5ESS; when you rotary dial a one in a 5ESS, you'll get immediate silence. When you leave your phone off the hook, the DMS-100 will make the first pulse of off-hook tone studder, unlike most other switches, including it's little brother, the DMS-10, which I'll also cover later. Interestingly enough, when you get a busy signal from one, it will go on for exactly thirty pulses, and a reorder will go on for exactly sixty pulses. With other switches, it will ususally go on for a good while. Also, the ring in a DMS-100 and the other DMSes, such as the DMS-10 and DMS-1 has exact timing and will not be on for a random amount of time, unless it is interupted by something picking up. Some of the DMSes software versions can make rather amusing bugs occur, such as the one demonstrated here. After a repetition of the recording telling you to unblock your caller ID, the DMS will interrupt the recording in the middle of the repetition and give me the All Circuits Busy message. Had I not been calling a number assigned to the recording itself, and rather, blocking my Caller ID to a number that didn't accept annonymous calls, it would have started to ring in the middle of the second repetition, and would start ringing the phone number anyways! If you would like to experience this error in realtime, call 434-975-9999. Regardless of if you're blocking your Caller ID or not, it will give you that error message and then you'll get my All Circuits Busy recording. Similar things happen with other numbers as well, such as with 800 numbers, when the other person hangs up, my switch in particular will forward me to a recording telling me that to complete my call, I have to dial atleast seven digits.

Western Electric 1AESS
----------------------------
By far, this is most definetly my favorite switch in the United States Public Switched Telephone Network. I won't get into all the details of the transition between the 1ESS, or how Western Electric became Lucent eventually, as they're available elsewhere. Although admittedly, I have never, ever dialed out from one of these, I can say that it is somewhat similar to the 5ESS, but they still have their good share of differences between them. First off, the 1AESS is a ways off from modern techonology. It uses reed relays to complete calls, tell when calls answer, and pretty much everything else aside from get call data from other switches, generate caller id tones, using it's 3-way capabilities, which of course, the relays must still be used, but intelligence is required on the part of the processor to know where to drop the call into, and it's call waiting capabilities, which again, the processor must also participate into. I don't have any way of knowing how Caller ID works with the 1AESS, but I believe the 1A processor in the switch will input the data into a hardware device that will cut into the call before the person picks up, and use that to generate the Caller ID tones, unlike with modern switches, which will generate it entirely with software. Since it uses relays to switch calls, you get to hear a thunk noise as it lets you onto the call, as demonstrated in 804-291-9950, and another when the call charges, which isn't heard in that number, because the call doesn't charge. To sum it up shortly, these switches have a random timing on the first ring, will click and start ringing immediately when you call a ringing number, although you can't always hear it, especially if you're dialing out from a 5ESS, they'll stop the dialtone immediately after dialing a digit, and do not studder when the offhook tone is put onto your line. Also, if you're lucky enough, you'll get to hear crosstalk from other calls bleeding in onto the line, because of the relay that's switching your call being close enough to other in-use relays for the electromagnetic signal to be able to come through onto it. By far, the best example of this I've found is the number 214-946-9990. Calling in the daytime is reccommended, since you'll have a better chance of having more numbers in use, therefore increasing the crosstalk. Although this may not be true of all of these left in the US PSTN, the two closest to me are in *very* bad neighborhoods, hence why I haven't touched one yet. They can be found in a few states in the Mid-West as well as most Southern states.

Stromberg Carlson DCO
------------------------------
This little switch is used widely by the independent companies in the US and is now produced by Siemens. Although I haven't dialed out from one, I'm positive this switch has random timing on it's first ring.

Nortel DMS-10
------------------
This is essentially a smaller version of the Nortel DMS-100, with different hardware to go with it. Although I have never dialed out from one, two things I am sure of is it has exact timing on it's first ring and has a strange modulation in it's offhook tone.

Automatic Electric GTD-5 EAX
------------------------------------
This is a fully digital switch that was once made by Automatic Electric, the manufacturing arm of GTE. It is currently supported and manufactured by Lucent. You'd be better off asking Strom about this one. He's dialed out from a few, as well as made recordings of it.


Hopefully, I haven't talked your ear off too much. If you still have trouble figuring out what switch serves your line, bellsmind.net can tell you ;) .

EDIT: I was a bit hasty in finishing this up around the end, as some people may be able to tell. I may edit this again later to correct any errors I find, or add a bit more if possible.

Sources:
Strom Carlson's Socal Trip
Evan Doorbell's "Permanent Signal Recordings tape"
Evan Doorbell's "How I became a Phone Phreak, part three" tape
My own exploration throughout the network



i wish i wouldve had that when i started :P you need to submit that to oldskoolphreak!

#5 JmanA9

JmanA9

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 434 posts
  • Location:NPA 724

Posted 26 August 2006 - 02:56 PM

i wish i wouldve had that when i started :P you need to submit that to oldskoolphreak!

I wish I had that, too! Great writeup. Your 5ESS "Dial 1 first recording" link is broken, though.

As a side note, I've actually dialed from the 214-946 1AESS :)

#6 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,216 posts
  • Gender:Male

Posted 27 August 2006 - 11:55 AM

I wish I had that, too! Great writeup. Your 5ESS "Dial 1 first recording" link is broken, though.

As a side note, I've actually dialed from the 214-946 1AESS :)


Thanks! I'm thinking of submitting it, but I'll have to think of a way to convert all the links to text format first

By the way, that's awesome that you've been able to dial through one of the Dallas 1AESSes. Texas in itself seems to have a good number of these left. I'm curious, though, what did it sound like close up? For that matter, what was the area that the switch served like?

#7 unity

unity

    Ten Ten Three Two Three

  • Agents of the Revolution
  • 1,236 posts

Posted 27 August 2006 - 12:02 PM

Just use some sort of markup. Like, when you had "studder" (stutter?) as a link, you could just put "stutter (1)", and at the end of the file, have a (1) and a link. Just an idea.

#8 TelcoBob

TelcoBob

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 409 posts
  • Location:LATA 420

Posted 28 August 2006 - 03:42 PM

or you could just do it in an audio format and just add the sounds in teh appropriate places, it would give me somethgin to listen to on my up coming road trip ^_^

#9 unity

unity

    Ten Ten Three Two Three

  • Agents of the Revolution
  • 1,236 posts

Posted 28 August 2006 - 04:20 PM

Sounds in an old skool phreak t-file? That's leet. I guess you could uuencode them, or something.

#10 JmanA9

JmanA9

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 434 posts
  • Location:NPA 724

Posted 03 September 2006 - 12:24 AM

Thanks! I'm thinking of submitting it, but I'll have to think of a way to convert all the links to text format first

By the way, that's awesome that you've been able to dial through one of the Dallas 1AESSes. Texas in itself seems to have a good number of these left. I'm curious, though, what did it sound like close up? For that matter, what was the area that the switch served like?

Texas sure does have a lot of 1AESS'es. My guess is that Southwestern Bell was first to jump on the ESS bandwagon, and now there isn't that big of a reason to shell out the money to upgrade to a 5ESS or DMS-100. I believe this one was the second 1AESS I've dialed from. There is (or was) only one around here. Telcodata says there is still a 1AESS serving the 412-363 exchange, and others. I know someone who used to have a line out of that CO, which I've used many times over the past 10 years. When I had a good bit of knowledge about phones under mybelt, I put a bunch of exchanges I was familiar with into Telcodata to see what types of switching equipment they used, and I found one that was a 1AESS. I couldn't wait to get over there and hear the 1A goodness, but unfortunately, my friend had just recently switched to Comcast Digital Phone service, and when I got there, I was less than thrilled to find that out. However, I'm sure that I've used that 1A at some point during my time dialing from their phone.

Dialing various numbers in the exchange doesn't produce any of the normal 1AESS sounds, so I think it must have been upgraded. If anyone with access to a database with higher authority, such as LERG, wants to check that out for me, I'd appreciate it.

Back to Texas. The area I visited served by this 1AESS was on the outskirts of the city. It was a pretty nice area. I couldn't dare to estimate how many phones are being served by the switch, seeing as how I don't know how big of an area the switch serves. There's 1AESS'es and 5ESS'es surrounding it.

The dialtone sounded somewhat different to what I'm used to hearing. I can't really describe it, but something about the tone was odd. I really wish I had my recording gear with me, because I have no recordings made from a phone served from a 1AESS. I was only able to use the phone for about 5 minutes, too. I'm going back in about a year, so hopefully I'll be able to get some recordings made.

#11 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,216 posts
  • Gender:Male

Posted 19 September 2006 - 09:35 PM


Thanks! I'm thinking of submitting it, but I'll have to think of a way to convert all the links to text format first

By the way, that's awesome that you've been able to dial through one of the Dallas 1AESSes. Texas in itself seems to have a good number of these left. I'm curious, though, what did it sound like close up? For that matter, what was the area that the switch served like?

Texas sure does have a lot of 1AESS'es. My guess is that Southwestern Bell was first to jump on the ESS bandwagon, and now there isn't that big of a reason to shell out the money to upgrade to a 5ESS or DMS-100. I believe this one was the second 1AESS I've dialed from. There is (or was) only one around here. Telcodata says there is still a 1AESS serving the 412-363 exchange, and others. I know someone who used to have a line out of that CO, which I've used many times over the past 10 years. When I had a good bit of knowledge about phones under mybelt, I put a bunch of exchanges I was familiar with into Telcodata to see what types of switching equipment they used, and I found one that was a 1AESS. I couldn't wait to get over there and hear the 1A goodness, but unfortunately, my friend had just recently switched to Comcast Digital Phone service, and when I got there, I was less than thrilled to find that out. However, I'm sure that I've used that 1A at some point during my time dialing from their phone.

Dialing various numbers in the exchange doesn't produce any of the normal 1AESS sounds, so I think it must have been upgraded. If anyone with access to a database with higher authority, such as LERG, wants to check that out for me, I'd appreciate it.

Back to Texas. The area I visited served by this 1AESS was on the outskirts of the city. It was a pretty nice area. I couldn't dare to estimate how many phones are being served by the switch, seeing as how I don't know how big of an area the switch serves. There's 1AESS'es and 5ESS'es surrounding it.

The dialtone sounded somewhat different to what I'm used to hearing. I can't really describe it, but something about the tone was odd. I really wish I had my recording gear with me, because I have no recordings made from a phone served from a 1AESS. I was only able to use the phone for about 5 minutes, too. I'm going back in about a year, so hopefully I'll be able to get some recordings made.


Sorry to hear about your friend moving to telephony over cable. As for your reasoning, that definetly seems possible that they were the first to install some of the earlier ESSes. A while ago, I was talking to Strom, and he mentioned that one reason they might still be in service is because of regulatory reasons; the telephone companies could be keeping them in service in order to justify to the public service commission the reason for giving taxes on something; GTE kept a step switch around until 1998 in order to justify to the public service commission their charging customers a tax for touchtones. If my understanding of it is correct, though, the FCC decided to rule that electro-mechanical switching was unacceptable in the United States PSTN. Even before the regulation was passed though, LECs were still getting a good deal of heat about leaving things as recent as an electronically controlled analog switch still in service.

3. See Finding nos. 5 and 16 in our Order dated April 4, 1996, Docket No. 95-049-22, In the Matter of the Request of US West Communications, Inc., for Approval of Changed Depreciation Rates. Throughout this decade we have prescribed aggressive capital recovery rates "to protect the Company from technological obsolescence and to provide sufficient cash flow to expand and modernize its telecommunications infrastructure." In Docket No. 95-049-22 we found analog switches (the technology which precludes rebranding), "obsolete and inferior" based on the unanimous consensus of parties on that record. USWC agreed in that case to a 1999 retirement schedule for all analog switches, a schedule subsequently twice extended, thus prolonging the "technical infeasibility" defense USWC uses in this arbitration to avert rebranding of directory assistance and operator assisted call completion services.

I'm not sure about you, but that gives me a burning sensation :blowfuse: . If you look at the whole document, it's evident that they didn't even give a reason to justify why the analog switching is "obsolete and inferior". Another reason they were pressuring US West was because they claimed it to be unreliable, despite the fact the 1AESS was designed to have less than two hours downtime in forty years of continuous operation.

Okay, done ranting :P . Anyways, a member of a mailing list I subscribe to provided a fairly good reason as to why dialtone sounds completely different between the 1A and the 5E.

Digital ESS dial tone sounds different from analog ESS or electromechanical precise dial tones because in digital ESS dial tone is connected to the line as mu-law PCM via a digital pathway. This introduces quantizing distortion that is especially noticeable if you hold the receiver away from your ear. If you press the receiver against your ear it is less noticeable.






BinRev is hosted by the great people at Lunarpages!