Jump to content


Photo
* * * * * 2 votes

Switch bugs


  • Please log in to reply
28 replies to this topic

#1 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,228 posts
  • Gender:Male

Posted 26 December 2008 - 10:37 PM

Back when I was served out of a DMS-100, I found out that it was possible to force the switch to keep you connected to the ANAC trunk if you flashed at just the right time. It's not very useful, but it could show a lot of potential for some more interesting results.
The way it works is, right as the ANAC starts reading off the last four digits of your number, flash, and click back sometime around the very last digit. I forgot if it's before, in between, or after the digit, but it's pretty easy to get the hang of once you've got it. If you flash back too late, the DMS will see the ANAC hanging up, and keep you stuck to the three-way dialtone. As you might've guessed, it'll disconnect you as usual if you flash back too early. If you flash back at just the right time, though, you get to stay on and hear the ANAC give you the fake reorder/weird hum/whatever it does after it's finished until the end of time. Not very interesting, sure, but it's a start on what could be a pretty cool bug, right?
Obviously, you can't use this to hold up a regular subscriber, since you'd have to be able to predict exactly when to flash back, but you can predict when something like an IVR, or a recording is going to disconnect, right? What if you were able to get yourself stuck to, say, an outgoing trunk, or a line card or something using the same technique? I dunno about you, but I think that'd be pretty cool :) . By the way, if you were hoping to find a way to MF into an outgoing trunk or something like that, you might as well forget about it. See, unless you're sitting on a TOPS trunk or something like it, the DMS isn't going to pass along supervision, and even if it did, it'd be passing along flashes at the same time, so it wouldn't let you click over.

As for the other switches, I can't say a whole lot, but you can bet this is the first thing I tried when I found the ANAC number on my 5E line. Even being as loud and ghetto as it is, the 5ESS is a bit harder to fool. Even if you manage to click back right as the ANAC hangs up, it's going to see it, and you'll get dropped. At least, that's the way mine is. Yours could be set up differently.

As with anything, 5Es aren't perfect, though. Not more than a few months ago, I had the weirdest experience I think I'll ever have on the phone. I picked up and made a long distance call to a bridge, but as soon as I finished dialing, the number was ringing. I figured the bridge could've just been broken, and for one reason or another, I flashed. As soon as I did, I got ringing voltage sent back to me! As you might imagine, I was pretty confused, so I hung up and tried calling it again. The bridge worked without a hitch.

#2 The Philosopher

The Philosopher

    The phorce is with me!

  • Members
  • 73 posts
  • Gender:Female

Posted 27 December 2008 - 12:21 AM

Back when I was served out of a DMS-100, I found out that it was possible to force the switch to keep you connected to the ANAC trunk if you flashed at just the right time. It's not very useful, but it could show a lot of potential for some more interesting results.


Being an "inside-out" person with the phone network as I am, I can't help but wondering with a burning curiosity exactly how this works with regard to the switch itself-the actual reasons in the hardware and software as to why this works as it does. I would like to state for the record also that this is one of the most interesting topics ever to be posted on Binrev. Leave it to ThoughtPhreaker to post it. :) My immediate addition may seem rather inferior, but I may edit this post later to add some of my experiences with switch oddities. Here is a link to an article in the Winter 1993/1994 issue of 2600 regarding switch identification ideosyncrisies. It isn't extremely helpful, and I am not certain if these can be considered "bugs", but I thought it an interesting little column of text:

http://72.52.208.92/...g/2600/know.jpg

(Note: I absolutely DO NOT condone the website that this was discovered on, but it was the only location in which I could find it).

Edited by The Philosopher, 27 December 2008 - 12:39 AM.


#3 dual

dual

    BinRev veteran

  • Agents of the Revolution
  • 1,196 posts
  • Gender:Male

Posted 27 December 2008 - 08:47 AM

That is really interesting. I think I'll get a landline again because of this thread. :)

Also check out ThoughtPhreaker's Switch Descriptions.

#4 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,228 posts
  • Gender:Male

Posted 29 December 2008 - 04:02 PM

Wow, it had that much of an impact? Awesome! :)

There's also another bug on the DMS-100, but if I understand correctly, it only works on ones that have old software/that were configured by doug. It's not fraudulent, but because it's way too leet to be posted out in an open forum, I'll just say that you might've tried it if you dial with CACs a lot.

Also, I really need to update that article sometime :/ .

#5 rjp

rjp

    Will I break 10 posts?

  • Members
  • 8 posts

Posted 30 December 2008 - 02:51 PM

Years ago, my home town was served by a 2ESS. I found a non-useful bug on the 2E: If you picked the phone up and then hung up at the exact instant that the dial tone would come on, the scanning circuitry would hiccup. When you picked up the line immediately afterward, you'd hear a slight whirring noise for a few seconds, then the line would go dead in much the same way as it did in the permanent signal condition.

The 2E went away in the mid-1980s, replaced by a 5E remote.

#6 samo

samo

    elite

  • Members
  • 104 posts
  • Location:Suburbia, Il

Posted 30 December 2008 - 11:59 PM

Years ago, my home town was served by a 2ESS. I found a non-useful bug on the 2E: If you picked the phone up and then hung up at the exact instant that the dial tone would come on, the scanning circuitry would hiccup. When you picked up the line immediately afterward, you'd hear a slight whirring noise for a few seconds, then the line would go dead in much the same way as it did in the permanent signal condition.

The 2E went away in the mid-1980s, replaced by a 5E remote.

That happens on 5ESSs too, or at least on mine, using pretty much the same method. It always takes a few tries, and I don't even know when the exact right moment is, but it works. When I call my home phone when it's "dead," my switch's AIS eerily declares it disconnected. There's no whining noise though, the line just goes totally dead.

Another weird thing about some or maybe all 5ESSs is their three way calling/"flashability." I don't know if these are bugs or quirks, or if they happen on all 5Es, but at least my switch allows you to flash as long as a real call (one that is not going to an error recording within the switch, is there a term for this?) is being placed. This is incredibly useful, it allows you to determine ring outs much more accurately, you can just place another call while you're waiting to find out if the first number you called was indeed a ring out. I'm not sure if this is also applicable to all 5E's, but one way my switch handles some call release cause value (the message sent back through the SS7 channel from the terminating switch that describes why the call was "released") is with a ring out. Of course, this goes to nothing, but these aren't flashable, so these are also easier to determine. The thing is, there are some inconsistencies with my switch's flashability, some numbers aren't flashable even though they do terminate to real numbers. If anyone could tell me why this happens, that'd be really appreciated.

Also, thoughtphreaker told me about another 5ESS bug that he discovered. If you rotary dial/flash a vertical service code, in his words, it puts the switch into a different mode than if you were to dial the code using touch tones. Touch toning * or # won't even break the dial tone under this condition.

Edited by samo, 31 December 2008 - 12:27 AM.


#7 invalid_route

invalid_route

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 18 posts
  • Location:203/413

Posted 31 December 2008 - 11:40 AM

Not sure if this happens with all 5E's, but one I was playing with a couple of years ago would not go back to dial tone after a call disconnected. You'd get the clicks you always get before dial tone comes on, but no tone...the line would just sit there and eventually go to the perminant signal recording. What was a little creapy about this was you could dial when the line was silent and your call would go through normally.

#8 chronomex

chronomex

    mad 1337

  • Members
  • 135 posts
  • Gender:Not Telling
  • Location:STTLWA

Posted 31 December 2008 - 01:07 PM

Not sure if this happens with all 5E's, but one I was playing with a couple of years ago would not go back to dial tone after a call disconnected. You'd get the clicks you always get before dial tone comes on, but no tone...the line would just sit there and eventually go to the perminant signal recording. What was a little creapy about this was you could dial when the line was silent and your call would go through normally.

That's pretty weird. Where and when was this? All 5E's in my experience (and 5XB and 1XB and Panel too) go to PS after disconnection. I just tried it and couldn't get anything by dialling after the call disconnected.

Step switches, however - the calling party can disconnect at any time, so the called party gets dialtone immediately if they're still on the line. But the called party can't disconnect the call; they just get the calling party again and again.

Edited by chronomex, 31 December 2008 - 01:07 PM.


#9 invalid_route

invalid_route

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 18 posts
  • Location:203/413

Posted 31 December 2008 - 02:50 PM

I saw this in the White Plains 5E (914-WH9) about 3 or 4 years ago. I made some recordings from there, will have to dig through the tapes to see if I captured this particular behavior.

#10 Royal

Royal

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 431 posts
  • Country:
  • Gender:Male
  • Location:Massachusetts

Posted 31 December 2008 - 07:39 PM

Years ago, my home town was served by a 2ESS. I found a non-useful bug on the 2E: If you picked the phone up and then hung up at the exact instant that the dial tone would come on, the scanning circuitry would hiccup. When you picked up the line immediately afterward, you'd hear a slight whirring noise for a few seconds, then the line would go dead in much the same way as it did in the permanent signal condition.

The 2E went away in the mid-1980s, replaced by a 5E remote.

That happens on 5ESSs too, or at least on mine, using pretty much the same method. It always takes a few tries, and I don't even know when the exact right moment is, but it works. When I call my home phone when it's "dead," my switch's AIS eerily declares it disconnected. There's no whining noise though, the line just goes totally dead.

Another weird thing about some or maybe all 5ESSs is their three way calling/"flashability." I don't know if these are bugs or quirks, or if they happen on all 5Es, but at least my switch allows you to flash as long as a real call (one that is not going to an error recording within the switch, is there a term for this?) is being placed. This is incredibly useful, it allows you to determine ring outs much more accurately, you can just place another call while you're waiting to find out if the first number you called was indeed a ring out. I'm not sure if this is also applicable to all 5E's, but one way my switch handles some call release cause value (the message sent back through the SS7 channel from the terminating switch that describes why the call was "released") is with a ring out. Of course, this goes to nothing, but these aren't flashable, so these are also easier to determine. The thing is, there are some inconsistencies with my switch's flashability, some numbers aren't flashable even though they do terminate to real numbers. If anyone could tell me why this happens, that'd be really appreciated.

Also, thoughtphreaker told me about another 5ESS bug that he discovered. If you rotary dial/flash a vertical service code, in his words, it puts the switch into a different mode than if you were to dial the code using touch tones. Touch toning * or # won't even break the dial tone under this condition.


Answer Supervision is what you're thinking of. Most 5ESSes won't let you flash over on three-way calling unless the first call supervises (answers). However on my 5ESS switch, I can flash over regardless of supervision status, which has its pros and cons. It's nice to be able to make 2 calls very quickly, but it also sucks to not be able to test if a call supervises.

If you're able to determine ringout bridges this way, then that means the ones you found were supervising while the ring tone played. Not all ringout bridges supervise when they ring though, so keep that in mind.

Edited by Royal, 01 January 2009 - 12:45 AM.


#11 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,228 posts
  • Gender:Male

Posted 05 January 2009 - 01:00 AM

Not all ringout bridges supervise when they ring though, so keep that in mind.


I actually haven't seen any that supervise, like, at all. Has anybody else? I could just be unlucky. Also, this is a bit off-topic, but there's a few other unique noises that switches make. I'm not sure about the rest of the switches in the PSTN, but there's another way to tell the difference between a DMS-100 and a 5ESS. When you get routed to an AIS, it makes a different sound.

I'm not sure how the best way to explain it would be, so here's two different numbers routing to the same AIS. Listen closely;

914-235-9925 - 5ESS
516-593-9950 - DMS-100

If you want another way to tell the difference between switches, check the thread on ring types.

#12 dmine45

dmine45

    Mack Daddy 31337

  • Members
  • 225 posts

Posted 05 January 2009 - 08:34 PM

ThoughtPhreaker is correct that ring types are a good way to tell what kind of switch you're dialing into. Another way is to see how centralized intercept comes on and plays. Finally, you can almost always tell from a non restricted outgoing line. 5ESS and DMS-100 are the most common types and are easy to determine. GTD-5 (aka 5EAX) is fairly common and somewhat easy to figure out. It's been a while since I played on a DCO so I don't know how well I can determine what kind of switch it is without looking up on a database.

Other than the very few Redcom switches out there - anyone know what other switch types are still in use? A database shows a SC ESC-3 still in use in rural Georgia. Dunno if that is true or not.

#13 samo

samo

    elite

  • Members
  • 104 posts
  • Location:Suburbia, Il

Posted 05 January 2009 - 11:44 PM

One more thing about 5ESS's. So the ring back in my area is 511, as it is throughout chicagoland (to my knowledge). 511 is also a N11 code though, so these two numbers conflict a little. I used to think that the only way to reach 511 (the n11 code) was to dial 511, and then wait for a while for the switch to give up on receiving digits and connect the call. I also noticed that dialing any invalid number (including partially completed valid numbers), and then pressing pound, would connect you to a recording from the switch declaring the call invalid. Well, I put two and two together and dialed 511#, and I was connected to the 511 N11 number immediately (I think it's actually just an error recording parked on a tandem somewhere around here, not an actual service). So, longs story short, I believe that # is somewhat of an "enter" button for 5ESS's. Dunno if this was common knowledge. It could be used to find special numbers belonging to the switch that are shorter than normal. Can we please keep this thread going?

#14 rjp

rjp

    Will I break 10 posts?

  • Members
  • 8 posts

Posted 06 January 2009 - 09:51 AM

I believe that # is somewhat of an "enter" button for 5ESS's.


That's been around even in the 1ESS. Most commonly, it was used as an "enter" key for 01+/011+ international calls, so that the switch wouldn't have to wait and see if any more digits were forthcoming.

#15 invalid_route

invalid_route

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 18 posts
  • Location:203/413

Posted 06 January 2009 - 02:51 PM

Another somewhat common switch not mentioned so far is the Siemens EWSD (digital switch made starting in the late 80s)...I was served by one for a while until I got VOIP. Have a couple of recordings from it I can post if anyone wants, mainly getting a dialtone and calling a disconnected number.

#16 samo

samo

    elite

  • Members
  • 104 posts
  • Location:Suburbia, Il

Posted 06 January 2009 - 06:15 PM

Another somewhat common switch not mentioned so far is the Siemens EWSD (digital switch made starting in the late 80s)...I was served by one for a while until I got VOIP. Have a couple of recordings from it I can post if anyone wants, mainly getting a dialtone and calling a disconnected number.

I'd love that. There are a bunch of EWSD's in my area code, they seem to be replacing all the old switches in my area, I hope to use a payphone on one in the future. Thanks.

#17 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,228 posts
  • Gender:Male

Posted 09 January 2009 - 07:59 PM

I'd love that. There are a bunch of EWSD's in my area code, they seem to be replacing all the old switches in my area, I hope to use a payphone on one in the future. Thanks.


JmanA9 made a few recordings from an EWSD as well, but I'm not sure what he did with him. I'm surprised nobody on a DMS-100 has tested the bug I posted above, though. It could yield some interesting results if the end office refuses to release the trunk on an intra-office call. I'm betting the tandem would freak out. If by perchance you've tried it, please post results :) .

#18 JmanA9

JmanA9

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 436 posts
  • Location:NPA 724

Posted 09 January 2009 - 11:44 PM

I'd love that. There are a bunch of EWSD's in my area code, they seem to be replacing all the old switches in my area, I hope to use a payphone on one in the future. Thanks.


JmanA9 made a few recordings from an EWSD as well, but I'm not sure what he did with him. I'm surprised nobody on a DMS-100 has tested the bug I posted above, though. It could yield some interesting results if the end office refuses to release the trunk on an intra-office call. I'm betting the tandem would freak out. If by perchance you've tried it, please post results :) .

What recording? :)



Wow, I made that recording so long ago.

#19 samo

samo

    elite

  • Members
  • 104 posts
  • Location:Suburbia, Il

Posted 10 January 2009 - 06:34 PM

On the Higland Park DMS-100, a strange thing happens when you flash on the local error messages of the switch (the ones you get from dialing something invalid, for example). When you flash on one error recording, you hear a short ring to the same error recording from the beginning. Flashing again gives you silence, and then flashing once more actually hangs up. Flashing on another error recording results in a very loud off-hook tone, flashing again gets you silence, and then one more flash hangs up. It's a pretty old switch, If I remember, but I have no idea why this happens and haven't heard of anything similar to it. Here's a recording of flashing on the error recording that rings again.

Attached Files



#20 invalid_route

invalid_route

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 18 posts
  • Location:203/413

Posted 16 January 2009 - 11:54 AM

Wow, that EWSD rings when giving intercepts...the ones I played with never did that. Here's a non-working number in one of them in my NPA that doesn't ring before it gives the recording:
(203)426-0000




BinRev is hosted by the great people at Lunarpages!