• Content count

  • Joined

  • Last visited

  • Days Won


ThoughtPhreaker last won the day on October 19

ThoughtPhreaker had the most liked content!

Community Reputation

131 Expert


About ThoughtPhreaker

  • Rank
    Dangerous free thinker
  • Birthday 11/02/1991

Profile Information

  • Gender

Contact Methods

  • Website URL
  • ICQ

Recent Profile Visitors

30,981 profile views
  1. If I remember right, this was taken at Defcon around the turn of the decade or so. Someone was playing it on the bridge, so I don't have a solid reference for where it's from. Keep in mind even that can be a problem sometimes: 304-720-9915, 863-297-9998, 707-262-0086.
  2. I'd consider options other than waiting for a call for assistance for the moment. Sorry. For a lot of reasons, including being in northern Calfornia for those wildfires last week (evacuating tends not to be fun. Not so much because of the impending doom, but because of the obligatory people driving like absolute retards you see in disasters, and having to take a long car trip when you're least in the mood for one), I've had an unusual amount of things to deal with recently. If you want to hop on the bridge one night though, that might be a good way to look into this.
  3. The N4Es specifically have media gateways, so they could just use existing TDM trunks. I don't know what they're run over, but with things that are very clearly running over IP like the 4E-APS redesigns (notice in areas like Los Angeles and New York, the 800-223-1104 ANAC has a different voice. They don't seem to be actively adding these at the moment), I just sorta assume they're at least reachable on the public internet. Occasionally they'll have the sort of staggering packet loss that would imply a bunch of people trying to attack it or something.
  4. The problem with WarVox and a lot of those other programs is it follows the mentality of people who equate this sort of dialing with a relatively menial practice, like nmapping but for phone calls (which to be fair, isn't to say that's not the case in some places. Learning to anticipate when you're going to be left with two wasted hours and a couple milliwatts is an important part of this), and are relatively inexperienced with phone networks to boot. For example, there's a video somewhere of the Warvox developer in particular getting a dialtone from some sketchy route his voip provider used, and mistaking it for something actually coming from what he was trying to call. Anyway, when you get rid of the tediousness of disconnected numbers and subscribers, it's a really enjoyable practice that helps you learn way more about the network than anything else; sort of like a huge improv exercise. Techniques like identifying switches based on the ringback sample they use never would've become a thing if there weren't people practicing hand scanning. There's also a fair number of things that automated analysis will very frequently miss. So the idea behind all this is to keep a level of automated detection for the purposes of indexing; so people know where to look and if they're in a mood for a particular sort of thing, finding them a range that has a lot of it. But also, ultimately, letting a caller be the ultimate judge of what's on the other end, and giving them maximum exposure to the network. So essentially to take the monotony out, keep all the good parts, and organize it in a way that works with a minimal amount of free time. Or to put it simply, I'm kinda tired of half the some numbers posts being mine .
  5. For anybody else interested in ASA, here's a copy: I think the command to grab the translations from the Definity to a computer is 'upload translations'. I'm honestly a little confused; I've never seen it barf out something blank like that before. If you could try again, that'd be great; there's a checksum for like every block in the xmodem protocol, so there's no chance of it uploading something it shouldn't. Well, not without Hyperterminal (or the Definity) raising a huge stink anyway. No worries! It might be a while before I can get a normal machine to run this with (the machine that currently runs my Dialogic code gets pretty frequent use right now, and being headless, it's hardly a normal install case) though, so let me know if you want me to just help you remotely for now. I know enough by memory to get it working for that and improvise the rest. For starts, you'll need a Dialogic card. This is the particular model I have. It's cheap and works with normal POTS stations. Occasionally you'll see them go for a little cheaper on eBay, but this is pretty good: . It's about a foot long, so finding a machine it physically fits in (most off the shelf ATX machines will do) is going to be your biggest bottleneck. Any Pentium 3 (or later 2)-era thrift store/yard sale/dumpster machine with 256 or so MB RAM will run the software perfectly fine. After booting the install CD, keep in mind it'll overwrite your hard disk without asking too. Once it boots, you may need to set the root password and start up an SSH server (beware that leaving any system running a Linux distro this old on the public internet is an extreme liability. Since it was convenient, I was using a dial-up modem to run mine for a while) before installing the Audix software packages. If you need any help with that, just let me know. That's right; the formatting stuff the Definity spits out with the dump isn't part of what's in RAM. But by pasting all that in a hex editor, you're converting ASCII to hex data, though. The RAM location with the passwords changes with each build. My way of figuring out where is to just search for the string 'inads' until I find what looks like passwords. From the TCM shell (which I *think* exists in release 6. At least, there's a TCM process. I don't think you can type 'go tcm' until 7 or 8 though), you can get a fairly solid example from the Definity itself of what the location with passwords looks like: That's a good question - I don't think the keys are necessarily in the RAM, but the program that validates them definitely is. I honestly don't have any idea how to do it. EDIT: Here's some cheaper Dialogic cards. Like I said, they go for peanuts: It's a little strange; these go for like, $5,000 brand new, and some of them weren't even opened. From the auction descriptions, it sounds like some people are mistaking these for dial-up modems. If you're willing to go through the trouble to develop software for them, it's a ridiculously good deal. There's also another card you can occasionally find that's smaller and should be runnable using the same API. I haven't tested it, but if anybody wants to give it a try, here's one:
  6. So today, I was thinking about a few people I'd talked to recently - they told me they were into the idea of scanning, but because of their lack of free time/direction, it was hard to find space in their lives for this sort of thing. So I was thinking; should I build a thing with my Dialogic box that automatically dials ranges that look potentially fun, and let people review the recordings/manually make a description of what's actually on the line? There could be a rough level of signal detection using the DSP; enough to let you search by what you'd like to see most; whether it be recordings, VMBs, modems or dialtones or whatever, and let you select by region or operating company. Maybe some more powerful signal detection could be tacked on at a later point that could recognize certain manufacturers or switch types. This would be a pretty significant undertaking, so I'd like to know if anybody is interested before I actually do this. If you don't actively scan and would like to, would this help turn the tide for you a little?
  7. No dice . Maybe! I wonder if a slow sweep tone or something would be in order. The pause/repeat thing sounds like it may be your long distance carrier changing routes. If you're okay with casual dialing (should be safe; I'd be sure, but I don't think it supes), try seeing if AT&T or MCI do the same. I'd be really disappointed if it was the case, but I was thinking this might just be the Nortel announcement card making that tone; they sometimes end calls with that same (or at least a similar) cause code. 706-219-0002 - Windstream NOC 434-223-6399 - Newer Otis elevator at university, on Meridian. 7200 is a Siemens elevator. 706-865 1112 - Ringout bridge 1113 - rec, "The number you have dialed is a party on your own line. Please hang up and allow the phone to ring several times before lifting the handset to talk." 1117 - Ringout 1118 - Ringout to Meatwitch VMB, Windstream Cleveland CO 1119 - Business 1120 - Ringout to Meatwitch VMB (CNAM: WINDSTREAM) 1121 - Loud, 20 hertz ringing x1 + hang up 1122 - Mitel PBX ringout to Express Messenger VMB, answers with **93604 1123 - Ringout 1124 - Ringout 1125 - Ringout 1126 - Ringout 1127 - Ringout 1128 - Ringout 1129 - Ringout 1130 - Modem 1131 - Ringout 1133 - Ringout 1134 - Ringout 1135 - Ringout 1136 - Ringout 1137 - Ringout to Meatwitch VMS 1138 - Ringout to Meatwitch VMS 1139 - Ringout 1140 - Ringout 1141 - Rings x1, hangs up quickly 1142 - Ringout 1143 - Ringout 1144 - Ringout 1145 - Ringout 1146 - Ringout 1147 - Modem 1148 - Modem 1149 - Ringout 1150 - Ringout 1151 - Ringout 1152 - Ringout 1153 - Ringout 1154 - Ringout 1155 - Ringout 1156 - Modem 1157 - Ringout 1158 - Ringout 1159 - Ringout 1160 - Ringout 1161 - Modem 1162 - Ringout 1163 - Ringout 1164 - Ringout to Meatwitch VMB 1166 - Ringout to Meatwitch VMB 1170 - Ringout 1171 - Ringout to Meatwitch VMB 1180 - Meatwitch VMB 1183 - Meatwitch VMB 1184 - Meatwitch VMB 1186 - Meatwitch VMB 1187 - Ringout 1190 - Really old AIS. Cognitronics? NIS report. 1191 - Same as 1190 1192 - Same as 1190 1193 - Same as 1190 1194 - Same as 1190 1195 - Same as 1190 1196 - Ringout 1197 - Ringout 1198 - Same as 1190
  8. I'll post it here. This forum is for sharing information, not hording it. Long story short, there's an AT&T Technical Journal article on the System 75 - the Definity's ancestor my friend was nice enough to snap some pictures of at a university library. I won't mention them unless they specifically want me to, but it goes into a reasonable amount of depth about the Definity's hardware and software architecture. Part of what it details is the Definity's DCP protocol; the one used to communicate with the phones. It's an ISDN spinoff, long story short. Probably a variant of 5E custom. If you take a close look at the cards, you'll notice there's some Siemens PEB2075 (iirc) D-channel exchange controller ICs on them that all but confirm it's ISDN. A logic analyzer or an ISDN-specific protocol analyzer will take you a long way in figuring out the differences between this and an off the shelf basic rate interface. I don't see a lot of issues with Definity cards, but usually it's just some discrete components that flaked off because of heat or mishandling. I can't claim surface mount soldering is easy, but it's doable. Especially when it's just a few capacitors or resistors that were very clearly ripped off the PCB. Not especially, no. While I've heard a lot of things about the ICPs (am I the only person who goes out of their way to call them Insane Clown Posses? I feel like a dork for letting that crack me up), not a lot of them make me confident in their ability to behave under normal circumstances, let alone when someone takes their fans away. More to the point though, the Definity fans are off the shelf 120mm ones. You could take ten minutes to slap new ones on instead of literally endless years of soul crushing work. I had this conversation with Gewt at one point, and she suggested a pair of these: . While the noise level isn't currently a big issue for me (the Definity lives in my garage), the fans both use standard color codings for +5/+12 volts and ground. To be safe, maybe compare with a thermometer for about a half hour or so on both to make sure the new fans are doing what they should, but otherwise, you should have a quieter Definity in a lot less time for in all likelyhood a lot less money. With all due respect, you're not likely to find a lot of people supporting that belief in any sort of practice. As someone who doesn't have a serious knowledge of car engines, if I were to ask a team of mechanics to develop a custom replacement engine for me and informed them that I wouldn't be able to help them make it, even if they liked the engine, there's probably no team in the world that would take on such an effort for free. You could apply this same idea to construction, music composing, or like I said - any sort of practice that involves significant skill. This is getting out of the realm of this topic, but on a personal note, I've seen far, *far* less UCx systems out there than I do original Norstar or BCM systems in place. The economics make much more sense in that case too; lots of nationwide store chains have Norstar key systems. Definities are more of a one-off system for mid-sized businesses and offices. The only chain users I know of off the top of my head are Nordstrom and Motel 6. In the first case, they don't show any interest in getting rid of their Definities, and are installing Auras that can support DCP phones in all their new stores. In the second, aside from attendant consoles and maybe one or two staff phones, the phones are all vanilla analog sets. If you'd like to pick up a UCx though, you can probably get one for pretty cheap from one of the Toys 'R Us stores going out of business. That being said, please do keep in mind that this forum isn't a business, and none of us are getting paid to do this; this is all funded with money out of our pockets and with a substantial chunk of spare time out of our personal lives. When I started trying to learn out how unlock Definity processors - three years ago, I hadn't written a line of code, and had a generally much fuzzier understanding of how computers and even phone switches worked internally. Much like phreaking has continually helped me learn a lot of new skills and ideas, It's partly thanks to being able to stick with this undertaking that I was able to gain a much more solid understanding of computer software and time division multiplexing, and help make a lot of great things happen in the process, like bringing Definity service to Toorcamp and hopefully saving some PBXes from the scrap heap. As a general rule, most people who do this sort of thing are ready to help everyone else with that sort of understanding; it always leads to great things, but that readiness ends on huge projects the initiator shows no motivation to participate in. If you don't like this, well, we've already given you an ample amount of resources you'll find literally nowhere else on the internet to help you start, and some of them have been uploaded specifically for your benefit. You're welcome to expect a better response from all the other groups of people doing Definity reverse engineering.
  9. Slip in some vanilla vodka, and we're _definitely_ in business. I detailed a bit about this on the first page; basically, there's just a substitution cipher that's used to encode the password; so like, it'll change all As to Zs, Bs to Xes, etcetera. After it's done with that, it'll switch around the byte order. I only had first several written down (fifth is first when unscrambled, sixth is second, fourth is third, seventh is fifth, first is sixth, third is seventh, ninth is eighth, eleventh is ninth, eighth is tenth, tenth is eleventh), so figuring out how to get the rest was mostly a matter of figuring out what word they were trying to put in there. The Definity OS has no RAM protection, so once you figure out what address the password is stored at (which isn't hard; just ctrl+f for inads in the ramdump. You'll see two iterations of the obfuscated passwords next to their respective usernames. The first one is the current one, the next is the previous password you used; the idea being you aren't supposed to use it again), you can use the wva (write virtual address) command to overwrite the passwords if you want. On that note, the ramdump can be translated back into binary data by filtering out all the crap from the dump program. There's probably an elegant way to do this with awk or some other Linux tool. It's times like these I can be more sloppy than I care to admit; I'll just use Openoffice. After getting rid of all the things that obviously aren't data, like the command you typed and the error message at the end, you do some find and replace functions; one for '0x' and another (with regular expressions enabled) for '004.....:' . When you're done, nothing should exist except the data (minus the 0x portion) it was spitting out. Paste this into a hex editor - I prefer HxD, and save it. The answer to that is very likely yes. I'm mostly seeing a lot of blank bytes in that file, though. How're you uploading it? Yeah; you can just use mode codes (DTMF) instead of a C-LAN card. I *think* I talked about what RPMs to install at some point in this thread. Lemme know if I didn't/you'd like me to walk you through it. Nope. Release nine doesn't use any sort of key-based licensing, so while the R12 processor will accept the translations, it'll run in no license mode. In a word, it's no fun mode. The translations for the later systems also have a key that includes the processor's serial number. I dunno if/when there'll be any concrete success to work out, but for the moment, the processor I yanked off eBay had some encouraging things to say: If you play around (don't be shy; carrier grade telecom gear isn't exactly made of glass), you'll find the byte that tells the Definity to prompt you for ASG instead of a regular password. It should be about 112 bytes after the last character of a password, and will be a 0x01. There's like, six, so a minimal amount of trial and error will find it. When you get a copy of your translations file, change it to 00, and change another 00 in the file (most next to the first byte should be fine) to a 01 to satisfy the checksum and upload it. If you do this for, say, inads, you'll have permission to write to the system's RAM at will. You can change this for init, but the system will just ignore this. Sort of a moot point, since not much can be done in the way of activation without knowledge of the licensing. Yup, sorry. It's just been an interesting week. Long story short, my hands have been a little tied. Even on the worst of days, I'll find time to hit the conf, but sometimes my ability to respond to forum stuff gets onto the chopping block.
  10. I may have a copy that came as part of a backup of some super sketchy Russian FTP. When I get home, I'll look into that, among some other things, and finish writing up the aforementioned Definity unlocking stuff.
  11. If you feel like using putty, one thing I've had some particular success with in minicom are the VT220 function codes. It's been a while since I've had a Windows machine hooked directly up to the Definity, but I think this works roughly the same. In VT220 mode, the shift+Fx keys should be mapped to the Definity function keys. For example, shift+F5 is help, shift+F7 is confirm. Page up/down are mapped normally, and cancel works as delete. On some notebooks, sometimes the function keys will move around a bit, so you'll wind up with shift+f3 or something doing what you want. It takes some trial and error, but once you've got it down, it relieves a lot of terminal headaches.
  12. I'll update this post with some more info when I'm not getting ready for work, but for now, the password for your release 6 card is '0nvacat10n'. Nothing like a cute little Definity word scramble to start your day. I guess you just had a different build than the other release 6 I unlocked.
  13. Try booting the system without a card and logging in as inads. The command 'go debugger local' should be available from the command interface, though not listed. At the debug interface, type this: rd -f 2000000x pam 0x400000 . If you post the dump on here, I can filter the output to reflect the actual binary it's dumping pretty easily. If you want to just upload it, I can A) tell you the password, B ) tell you what ram address and commands you need to use to change it, or C) we can skip all this crap, and you can just try the password 'e5peranto'. If I remember right, that's the release 6 init password. A little less fun, but it gets you what you need.
  14. 617-534-0000 - Voicemail unavailable recording. 15A announcement machine (the kind the 5ESS uses) on a DMS-100? 617-248-9901 - Permanent signal announcement 617-248-9902 - Dial 1+NPA for toll calls rec 617-248-9970 - rec, "We're sorry, your call cannot be completed as dialed. You need additional digits to complete your call. This is a recording." 617-638-9905 - "This is an emergency telephone. Press 1 to talk..." 252-441-4392 - Norstar key system at Carolina Telephone Kill Devil Hills CO. Press * for options 207-442-9923 - Modem 207-442-9932 - 480 hertz tone!? Times out to ACB cause code 207-442-9936 - 620+480 hertz tone, times out to ACB cause code Those last two I'm really scratching my head on.
  15. Damn, you've been busy! Thanks for taking a look. The thing on 6091, for whatever it's worth, seems to accept some commands preceeded with a *. So for example, *1 will keep waiting; usually for a * to terminate whatever you're dialing. *3 seems to consistently wait for more digits after you press a terminating *. When it picks up, it spits out *9 and a bunch of zeroes. I think ten. Some of those modems on there are indeed, well, modems, but whatever this stupid PBX is will hear the 2100 hertz handshake tone and start trying to impose T.38 on the connection. Needless to say, it's as unnecessary as it is annoying; the connection to the outside is done over a PRI or some other T1-based thing. But yeah - sorry nobody responded to you; you definitely deserved one a lot sooner. If you feel like taking a look at the other exchange, it can't hurt, but I honestly don't have high hopes for fun stuff.