Jump to content


Photo
- - - - -

Understanding the Tandem Network


  • Please log in to reply
11 replies to this topic

#1 skywanter

skywanter

    SCRiPT KiDDie

  • Members
  • 20 posts
  • Gender:Male
  • Location:847/412

Posted 04 September 2012 - 02:49 PM

I can't say it in a simpler way - I know that a lot of phreaks talk about the tandem network and call routing etc., and I honestly have very little idea as to where I could start, just looking to see if anyone could point me in the right direction. I'm kind of expecting this to be more of somethign that I can't really research or read about, only something that I can learn through hands-on stuff, but even with that, I'm kinda lost. I feel like the phreaking community (HA!) could definitely use an article about the subject. I'm not really looking for theory - i understand the tandem network's function in the PSTN for the most part (ss7 protocol is somethign that I'm loosely versed in but don't even know if its relevant to phreaks), I'm just looking to understand how one can play with and learn about the tandem network as one does a normal switch.

Also, I feel bad I missed the conference that was attempted a little while ago and I'd be down to try for one again. Honestly I wouldn't have much to talk about since I really haven't been doing much phreaking-wise lately but I'd contribute whatever I could.

Hope all is well with everyone, happy phreaking. For the very few of you who I have actually spoken to before this is samo btw I just lost the password to my old account.

#2 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,225 posts
  • Gender:Male

Posted 07 September 2012 - 04:44 AM

Hey Samo! Good to hear from you again. Sorry to give you a wall of text here, there's really no concise way to explain this.

In short, if you want to explore a long distance tandem, your best bet is to use a PIC code. There's a very simple trick that lets you push any destination you want directly into the tandem. We'll use Worldcom as an example, since it works from basically anywhere in the United States.
Ready? Dial 101-0555. That's it; no zero, nothing. What you get next is a dialtone straight from the tandem. In the case of the ex-Worldcom tandems, it's not quite as fun as it could be; it wants an authorization code a-la 950 calling card.

Here's an example of what you might find - http://thoughtphreak..._800223110.flac

That's from a DMS (500, I think) owned by Integra, one of the local CLECs. Most long distance tandems (AT&T's aside - we'll get into that in a bit) don't like terminating toll-free calls, so you'll end up getting weird messages that you'll never be able to hear normally unless your switch loses it's mind. What's so great about this is you're completely free from the dialing restrictions of a normal end office. Want to dial an NXX starting with 1 or 0? A code starting with #? *? There's nothing standing in your way. Sprint in particular stuck a speed dial function on their tandem for some weird reason in the #xx range. #99+anything seems to be it's own little exception - it'll wait for a very large amount of digits before eventually giving you a generic CBCAE recording. This might indicate they're hiding something else here.

There's one downside to this technique; if you're not subscribed to a carrier, they won't always let you play with the tandem. ex-MCI (0222) and Sprint are a couple good examples of this, but Sprint will give you a cool message as a consolation prize. Depending on your area, you might have better luck too. For example, the Qwest long distance network has a combination of DMS-250 and Sonus switches.

Sonus isn't fond of letting people have fun on the phone, so you'll just get a generic error recording. If you encounter Global Crossing's Sonus switches, you won't even get a custom recording, you'll get the Sonus stock one. It's worth a laugh if you ever hear it. It's under three seconds, and was clearly made last minute by an engineer.

Speaking of Global Crossing, like MCI/0222, they have a number of Alcatel DEX switches floating around. Dialing 101-0444 will just get you an error, though. The solution? 950-1044! What dialplan they're using is absolutely beyond me, though, so you're on your own there. There's suggestions - like 800-223-1104 (but only without a 1) going to an invalid code recording that suggest it might be for calling card use, but most things I can think to try just go to a CBCAD.

And then we come to AT&T's 0288 network. I'll level with you, this is something I haven't figured out at all. Whenever I've been fortunate to get a dialtone back, it's always been from one of their 5ESS toll tandems. If there's such thing as a pushy phone switch, this is it. It'll let you know right away if it thinks you're doing something wrong. And putting a 1 in front of your destination number is wrong. I haven't had time or an opportunity to just sit down and investigate this, but what I do know is it's unique from a lot of other switches. For one, it'll terminate toll-free calls, but only on specific carriers. I believe just AT&T and Global Crossing toll-frees. Sometimes, it gets a little weirder - like, if you dial 800-244-1111, you'll get a recording from a McLeodUSA DMS. What this means I'm not sure exactly, but my guess is since the 5E toll tandems are responsible for lending a hand in connecting toll-frees, they'll store translations for those toll-frees. If it happens to have one - outdated or not, it'll just use that instead of doing an SMS-800 dip.

Also of note on the AT&T tandems is the 600 NPA. Instead of just intercepting it like any invalid NPA, it'll pass this onto the 4ESS. This might indicate AT&T stashed something in there.

As for your question - is SS7 relevant to phreaks?

Absolutely. The very core practice of phreaking - introducing unorthodox input into the phone network - is fair game to everything, in or out of the speech channel. In the past, we've proved ISDN cause codes can trigger calls to take a different route, and it's been demonstrated that originating a ghost call (in short, an ANI fail on steroids - a call originated with no field other than the destination number) can be enough trouble that phone companies would probably scratch their heads as to whom they should send the bill to. It's understandable that figuring these things out is a challenge, but if anything, that should be a motivator. We're phone phreaks, we've got the resourcefulness to identify a piece of telco hardware by nothing more than vague sounds, and have fun in the process. This should be a reminder that there's always more to explore, and always another limit to break.

Edited by ThoughtPhreaker, 20 September 2012 - 07:37 AM.


#3 skywanter

skywanter

    SCRiPT KiDDie

  • Members
  • 20 posts
  • Gender:Male
  • Location:847/412

Posted 04 February 2013 - 09:25 PM

Hey Samo! Good to hear from you again. Sorry to give you a wall of text here, there's really no concise way to explain this.

In short, if you want to explore a long distance tandem, your best bet is to use a PIC code. There's a very simple trick that lets you push any destination you want directly into the tandem. We'll use Worldcom as an example, since it works from basically anywhere in the United States.
Ready? Dial 101-0555. That's it; no zero, nothing. What you get next is a dialtone straight from the tandem. In the case of the ex-Worldcom tandems, it's not quite as fun as it could be; it wants an authorization code a-la 950 calling card.

Here's an example of what you might find - http://thoughtphreak..._800223110.flac

That's from a DMS (500, I think) owned by Integra, one of the local CLECs. Most long distance tandems (AT&T's aside - we'll get into that in a bit) don't like terminating toll-free calls, so you'll end up getting weird messages that you'll never be able to hear normally unless your switch loses it's mind. What's so great about this is you're completely free from the dialing restrictions of a normal end office. Want to dial an NXX starting with 1 or 0? A code starting with #? *? There's nothing standing in your way. Sprint in particular stuck a speed dial function on their tandem for some weird reason in the #xx range. #99+anything seems to be it's own little exception - it'll wait for a very large amount of digits before eventually giving you a generic CBCAE recording. This might indicate they're hiding something else here.

There's one downside to this technique; if you're not subscribed to a carrier, they won't always let you play with the tandem. ex-MCI (0222) and Sprint are a couple good examples of this, but Sprint will give you a cool message as a consolation prize. Depending on your area, you might have better luck too. For example, the Qwest long distance network has a combination of DMS-250 and Sonus switches.

Sonus isn't fond of letting people have fun on the phone, so you'll just get a generic error recording. If you encounter Global Crossing's Sonus switches, you won't even get a custom recording, you'll get the Sonus stock one. It's worth a laugh if you ever hear it. It's under three seconds, and was clearly made last minute by an engineer.

Speaking of Global Crossing, like MCI/0222, they have a number of Alcatel DEX switches floating around. Dialing 101-0444 will just get you an error, though. The solution? 950-1044! What dialplan they're using is absolutely beyond me, though, so you're on your own there. There's suggestions - like 800-223-1104 (but only without a 1) going to an invalid code recording that suggest it might be for calling card use, but most things I can think to try just go to a CBCAD.

And then we come to AT&T's 0288 network. I'll level with you, this is something I haven't figured out at all. Whenever I've been fortunate to get a dialtone back, it's always been from one of their 5ESS toll tandems. If there's such thing as a pushy phone switch, this is it. It'll let you know right away if it thinks you're doing something wrong. And putting a 1 in front of your destination number is wrong. I haven't had time or an opportunity to just sit down and investigate this, but what I do know is it's unique from a lot of other switches. For one, it'll terminate toll-free calls, but only on specific carriers. I believe just AT&T and Global Crossing toll-frees. Sometimes, it gets a little weirder - like, if you dial 800-244-1111, you'll get a recording from a McLeodUSA DMS. What this means I'm not sure exactly, but my guess is since the 5E toll tandems are responsible for lending a hand in connecting toll-frees, they'll store translations for those toll-frees. If it happens to have one - outdated or not, it'll just use that instead of doing an SMS-800 dip.

Also of note on the AT&T tandems is the 600 NPA. Instead of just intercepting it like any invalid NPA, it'll pass this onto the 4ESS. This might indicate AT&T stashed something in there.

As for your question - is SS7 relevant to phreaks?

Absolutely. The very core practice of phreaking - introducing unorthodox input into the phone network - is fair game to everything, in or out of the speech channel. In the past, we've proved ISDN cause codes can trigger calls to take a different route, and it's been demonstrated that originating a ghost call (in short, an ANI fail on steroids - a call originated with no field other than the destination number) can be enough trouble that phone companies would probably scratch their heads as to whom they should send the bill to. It's understandable that figuring these things out is a challenge, but if anything, that should be a motivator. We're phone phreaks, we've got the resourcefulness to identify a piece of telco hardware by nothing more than vague sounds, and have fun in the process. This should be a reminder that there's always more to explore, and always another limit to break.

thoughtphreaker, you never ever have to apologize to me for sending me walls of text. I appreciate the hell out of them and they're always a ton of fun to read.

 

a few quick questions - from my att landline I wasn't able to get to 950-1044 - I dunno what 950 is used for normally but on my switch it's a test exchange. any other way I could reach it? and is the sonus error message you're talking about heard on qwest's 10-10-757? (i don't think that's the right way to type that but too bad that's what i'm used to:)) I hear those all the time so it's really nice to know what it is.

 

that's totally rad about att's 5e toll tandems putting toll free's through. I'll have to find if I can get a dialtone off of one from my area/having att as my LD provider (i assume i'd do this just by scanning att pic codes). Thanks again for the writeup :)



#4 JmanA9

JmanA9

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 436 posts
  • Location:NPA 724

Posted 06 February 2013 - 08:38 PM

The vast majority of switches I've used do not complete calls to 950 feature group b numbers.  If your switch doesn't let you dial 950 codes, unfortunately, I don't know any other way to reach them.  My guess is that the Feature Group D 101XXXX codes reach the same switch, however, the 950 codes usually give you a dialtone (sometimes a strange-sounding one at that) whereas the FGD codes typically give you an IVR.  It sounds like dialing FGD codes without any digits after may give you the same dial tone you would get when dialing a 950 code.  Typically, you'd dial a 950 code, the number you were calling, then your access/calling card number.

 

If you want to know what 950 is about, here's a quick history lesson (a lot of this pre-dates me but to the best of my understanding, here's what I've gathered):

 

1) There used to be a time where you could not choose your long distance carrier.

2) Enterprising entities such as MCI and Sprint saw money in the long distance game and began to offer an alternative to AT&T's long distance service.  They provided a regular 7-digit access telephone number which would you could use to complete calls through their network.  This became known as Feature Group A.

3) MCI and Sprint wanted their system to be a local call from (almost) any phone in a city where they offered service.  To accomplish this, they had telephone numbers in several rate centers.  This was costly, and as they saw it, unfair on several levels.

4) Feature Group B was implemented.  Customers could dial 950 + 4 digits to choose a long distance carrier.  Sprint, MCI, and others did away with their 7-digit access numbers and moved to codes such as 950-1033 which could be dialed for free from any phone.

5) Feature Group C was apparently skipped.

5) Feature Group D was implemented, starting as 10-XXX and when numbers were exhausted, 101-XXXX.  10-220 became 101-0220 (usually written out as 10-10-220).  I'm not sure why FGD was created since there are fewer assignable codes with FGD as originally implemented compared to FGB.  I'm sure the answer is out there.  It may have been because 950 codes were usually subscription-based and FGD codes can be dialed in many cases without presubscribing to a company's services.

 

This site has a helpful pictorial representation of how calls are delivered:

https://primeaccess....fm?section=2685

 

Despite the fact that FGB cannot be reached from many switches, codes are still being assigned.  The newest FGB code was assigned in March 2012 to "The Billing Resource."  Are they requesting codes so that they can be used by regular telephone users?  I don't know but I suspect not since the residential competitive long distance business is much less lucrative than it once was.

 

You can view FGB and FGD assignments and reclamations here:

http://www.nanpa.com...eports_cic.html


Edited by JmanA9, 06 February 2013 - 08:42 PM.


#5 dmine45

dmine45

    Mack Daddy 31337

  • Members
  • 225 posts

Posted 07 February 2013 - 06:31 PM

http://en.wikipedia....i/Feature_group

 

  1. Feature Group A - user has to dial a local telephone number, following by the desired long-distance number.
  2. Feature Group B - associated with 950-XXXX calling; instead of a local telephone number the user enters 950 and 4 additional digits; depending on the service provided this may be followed by a calling card number and the long-distance number
  3. Feature Group C - used mainly by AT&T for pay phones since they allow the operator to keep control of the caller's telephone line until the transaction is completed
  4. Feature Group D - highest quality connection, and allows pre-selection of the interexchange carrier by the end-user. This feature group permitted two types of calls. If a user dials 1 + area code + seven-digit number, the long distance call is handled by a default carrier chosen by the user. Alternatively, a user dials 101 + four-digit carrier code + area code + seven-digit number, and the call is handled by the carrier specified by the carrier code. Most carrier codes began with 0, so this type of "dial around" service was typically marketed as dial-around 1010 service.

 

I remember Fg. A very well.  A few still exist. Used to exploit these quite a bit back in the day! ;)

 

Fg. B really never took off, and was only used by the Baby Bells. Almost no independents, CLECs or VoIP services ever used this. The ones I know of that worked were 950-1022 & 950-1033. I think at one time 950-1028 also worked.

Fg. C is now gone since telco owned/operated and central office controlled pay phones is now a thing of the past.

Fg. D is still around, either by pre-selecting your carrier or 101-xxxx dial-around services (as ThoughtPhreaker mentioned above)


Edited by dmine45, 07 February 2013 - 06:40 PM.


#6 JmanA9

JmanA9

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 436 posts
  • Location:NPA 724

Posted 09 February 2013 - 12:22 PM

I remember Fg. A very well.  A few still exist. Used to exploit these quite a bit back in the day! ;)

 

Do you know if any still exist for the "big" long-distance carriers?



#7 dmine45

dmine45

    Mack Daddy 31337

  • Members
  • 225 posts

Posted 09 February 2013 - 02:35 PM

I remember Fg. A very well.  A few still exist. Used to exploit these quite a bit back in the day! ;)

 

Do you know if any still exist for the "big" long-distance carriers?

Not for the big guys. MCI and Sprint still have their Fg. B running.


Edited by dmine45, 09 February 2013 - 02:35 PM.


#8 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,225 posts
  • Gender:Male

Posted 12 February 2013 - 05:07 AM


thoughtphreaker, you never ever have to apologize to me for sending me walls of text. I appreciate the hell out of them and they're always a ton of fun to read.

 

a few quick questions - from my att landline I wasn't able to get to 950-1044 - I dunno what 950 is used for normally but on my switch it's a test exchange. any other way I could reach it? and is the sonus error message you're talking about heard on qwest's 10-10-757? (i don't think that's the right way to type that but too bad that's what i'm used to:)) I hear those all the time so it's really nice to know what it is.

 

that's totally rad about att's 5e toll tandems putting toll free's through. I'll have to find if I can get a dialtone off of one from my area/having att as my LD provider (i assume i'd do this just by scanning att pic codes). Thanks again for the writeup  :)

 

 

Thanks! Glad you enjoyed it. 101-0757 isn't available from here, but the Sonus guy sounds like this; 804-253-9863. All of the announcements have those fans in the background, and aren't more then three(ish) seconds.

 

I haven't heard of 950 being used as a test prefix before, but around here sometimes it can act a little weird. ACTS phones (on the same switch as lines that complete normally no less) will sometimes silently wait for DTMF and transfer you to a collect call company.

 

Regarding the AT&T 5ESSes, I've only seen that work in one place. I'd love to find a way to make sure, but for all I know, that could've just been a misconfigured tandem.

 

 

The vast majority of switches I've used do not complete calls to 950 feature group b numbers.  If your switch doesn't let you dial 950 codes, unfortunately, I don't know any other way to reach them.

 

 

That's strange, I've never had a switch turn it's nose up completely at 950 codes. I guess I'll have to keep a lookout for that. One thing I will say about the newer 950 codes is I was wondering the same thing about them a few years ago, so I started calling them until I found one that worked. It actually answered with a 1200 baud modem!

 

On that subject, there was a pizza place nearby that's come and gone - in a whopping three years no less. But anyway, whenever you bought something with a credit card, you'd get to hear a US Robotics modem dial out. I don't know what number it dialed, but it was a seven digit number, and ten digit dialing has been mandatory for a good while here. So maybe financial institutions have some incentive to keep them running?

 

 

Fg. C is now gone since telco owned/operated and central office controlled pay phones is now a thing of the past.

 

 

How long they'll be around is a question, but I've noticed some of the COCOT companies that've inherited ACTS phones from telcos will continue using them, or keep a COCOT in CO signalling mode.

 



#9 dmine45

dmine45

    Mack Daddy 31337

  • Members
  • 225 posts

Posted 12 February 2013 - 05:25 AM


How long they'll be around is a question, but I've noticed some of the COCOT companies that've inherited ACTS phones from telcos will continue using them, or keep a COCOT in CO signalling mode.

 

Fg. C was mostly used by AT&T operators to "hold your line". Post-divestiture, a system was needed so both the local operator (ILEC) and AT&T operator could hold your line. AT&T also used this to ring back the line for ACTS to get more money on long distance phone calls at pay phones.

 

Several years ago AT&T sucessfully petitioned the FCC to remove Fg. C access (dedicated operator "0+" trunks) to end offices. So now when you call the AT&T operator directly (not via 800-CALL-ATT) you go through regular long distance "1+" trunks and not dedicated 0+ trunks. ACTS from AT&T ended roughly 10 years ago, and when that ended they got rid of Fg. C.

 

A side affect of this is how AT&T knows which OSPS to send your call to. It's now based upon your NPA-NXX combo instead of your trunk group.

 

 



#10 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,225 posts
  • Gender:Male

Posted 12 February 2013 - 05:36 AM

That's interesting. Do you know if there's any specific configuration for 0+ calls that puts them on separate hardware from 1+? It's gotten a lot better recently, but for a while, AT&T's 1+ trunks from my office were really, really crackly. Like, to the point where when you dialed a toll-free number, you'd know in seconds if it was originating on AT&T long distance. This has never happened when you dial 101-0288-0, though; it's always been very clean sounding. 



#11 dmine45

dmine45

    Mack Daddy 31337

  • Members
  • 225 posts

Posted 12 February 2013 - 05:50 PM

Good question. I don't know if was a virtual trunk group within the same trunk  or two physical groups. Also, it all depends on routing. Going to 0+ calls may route via different set of tandems than 1+. For example, when you make a 1+ call via AT&T it could go to your LATA tandem then to your local 4ESS tandem. Calling 0+ could route from the LATA tandem directly to OSPS. Not saying that's the case, just a thought.


Edited by dmine45, 12 February 2013 - 05:51 PM.


#12 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,225 posts
  • Gender:Male

Posted 21 February 2013 - 07:39 AM

On the subject of weird tandem stuff, one thing I've noticed Qwest's Sonus gear will do (or Qwest's gear, anyway. I *think* it's their Sonus switch doing this) is whenever there's a low transmission level, it'll very quickly raise the amplitude well to the point where it'd normally start clipping. In the interest of being loud and annoying, does anybody have any idea how it accomplishes this?

 

My suspicion is it might be determining this by way of echo from the distant end - it always seems to realize when you're pulling it's leg by just playing something at a low level, and it only raises the gain when you're transmitting audio.






BinRev is hosted by the great people at Lunarpages!