• Content count

  • Joined

  • Last visited

Community Reputation

65 Knowledgable

1 Follower

About ThoughtPhreaker

  • Rank
    Dangerous free thinker
  • Birthday 11/02/1991

Profile Information

  • Gender

Contact Methods

  • Website URL
  • ICQ

Recent Profile Visitors

27,808 profile views
  1. Not that I know of. The motherboard I installed it on didn't have onboard graphics and I didn't have a card for it, so I just installed it on a VM and copied the drive image over. You could probably do the same thing yourself if it came down to it; just make sure you get the same number of cylinders and such for the image. I would suggest enabling mgetty on a serial port so you can dial into it, though. The system comes with ethernet drivers for basically just whatever rebadged desktop they happened to bundle Audix with, so the chances of you being able to access it if it's headless are basically zero. This would be a good time to mention to anyone else who might want to do this that it erases your hard drive without asking when you boot the CD. Sorry, I definitely should've mentioned that. Yeah, that'd be one of the reasons. The other would be licensing; there's some executable that the system runs, parcrypf, to determine how many lines your system is licensed for. You can overwrite the license file all you want, but every time the program runs (which would be quite a lot), it'll lock it down again. The last time I dealt with this was months ago, but it shouldn't be too hard to figure out what file it's reading to determine the amount of ports it can use. As a quick and dirty fix, you can also just make a shell script that outputs a license file with whatever you want, and swap it with parcrypf. I'll see if I can figure out what needs to be changed sometime this week. That would make sense, yeah. When the system boots, it makes the Dialogic cards test for loop current. If it can't detect it, it'll force the port out of service until you manually get it to test successfully. It's definitely possible 24 volts won't satisfy the Dialogic cards. If you happen to find yourself needing more 746Bs, get the ones from the early or mid nineties. It's not a big deal, but there's a noticeable (but subtle) difference in the noise level on the cards; the newer ones have a bit of hiss on them while the old ones are dead silent. The first two digits of the serial on the front of the card should tell you when it was manufactured. Anyway, I'll have to take a rain check on the control channel; I can tell you how to install the packages, but you're on your own from there. The C-LAN board I got off eBay turned out to be DoA. Thankfully, the problem looks relatively minor (a few resistors got shaved off the PCB), so I'm going to see if someone who is confident with surface mount soldering can make it work again. It wouldn't feel right to toss an out of production board over 30 cents worth of parts. If you wind up in the same boat, you can always just get it to send the signaling data over DTMF.
  2. There's a special extension type - VMI that seems to send a number of some sort when the line goes offhook. I'm guessing it's the number calling it, but I'll check tonight. Here's a configuration guide Avaya made for setting up an Audix/Definity arrangement: Though it's not documented here, you can do this with regular line classes and a hunt group if you want. Make a hunt group with the Audix lines, and add a vector with the command "converse on split [hunt group ID] priority [whatever] . The next few arguments after that should give you the option to send a number of things after any line in the hunt group goes offhook. EDIT: Here ya go! Sorry for the sketchy file locker. It's the first I could think of that allows big files for free. Here's the service pack update thingy as well. I think the first release of Audix has some sort of well documented vulnerability. I mean, aside from all the ones you'd expect from circa-2003 Redhat.
  3. Er, sorry. I think we got a little mixed up there. The Definity doesn't have the storage space to do voicemail on it's own, but it definitely wouldn't be out of the realm of possibility for the hardware to be capable of it with a better IVR scripting language. But yeah, aside from the codec this instance of Audix uses, it does voicemail perfectly well. Just the C-LAN card if you want to use the control protocol that runs between the Definity and Audix. It'll still work without it, though. It's not particularly straightforward to get that working though, since there's some RPMs it wants installed, but it won't tell you which. I think I've figured out how to make it work, but my C-LAN card won't come in them mail until later today. So we'll just have to see. In the meantime, I'll see about getting this uploaded. By the way, one thing you might want to think about doing is putting a small amount of resistance on the Audix lines, as well as any other really short ones you might have. It shouldn't be a big deal, but one thing I've noticed is the analog station cards tend to run quite hot when you have them offhook for a non-stop, say, 45 minutes or so. I guess they were designed to just have longer loops.
  4. Sure! I actually happen to have a working Audix ISO sitting right here. When I get to an uncapped internet connection, I'll upload it for you. I was going to make an article about this at some point, since there's a fair amount of crap you'll have to do with the shell scripts on the system to make it cooperate. But it's more just tedious than anything else. So you'll need: * Any old computer (a 500 MHz machine with, say, 256 MB of RAM should be fine) capable of supporting a full size PCI card * An analog Dialogic JCT card. This particular model is the one I have; There's probably a way to kluge it to work with a Dialogic T1 card, but this particular Audix install likes to transcode everything to some weird CELP codec. That, and it runs on an ancient version of circa-2003 Redhat. Between the two, I wound up shrugging it off and making my own custom IVR with it from the ground up. If that's all you want by the way, the vectoring feature on the Definity is surprisingly decent when you use it the right way. I even kluged an ANAC out of it at Toorcamp. The downside is you have really really really limited use of variables (for no particularly good reason; it would take basically no effort to add support. I think they actually did this in one of the later CM releases. My guess is it wasn't there in the first place so it didn't hurt the Conversent IVR platform's sales), so it can be kind of annoying to develop stuff for.
  5. At this point, you could probably just log in using the craft account; the password is "y0urthe1". I'm surprised; it actually only took a few hours to figure out. Let me explain how it works; it's actually pretty funny. So go ahead and boot your Definity without a translations card, and we can get started. As before, log in with inads, but this time type 'go tcm'. From here, you'll see a new, and from the looks of it, very, very nifty shell once you've gotten you're switch running with no restrictions. If you type klog, you can see a printout like this; support your local Oryx (Oryx g4.34)$ support your local Pecos$ Boot image vintage: G3V8i.$ Boot image build information: 03/21/00-21:39:28;gaz;fld;alawint;G3V8.pj$ If you're not familiar with Oryx/Pecos, Oryx is the kernel, and Pecos is a series of processes that runs on top of it. But back to the password thing, if you're looking to do a lot of comprehensive work with the password file on the switch, you should do a full dump of the RAM allocated to the pam process. But that's kind of a big pain in the ass. If you're just looking to get the passwords, the switch actually makes it relatively easy. At the TCM shell, type this; prec pr_login nread_prec 0 And it should come back with something like this; PR_LOGIN 696e 6164 7300 006c 756a 6521 7376 6a2e 'inads luje!svj.' PR_LOGIN 0000 006c 756a 6521 7376 6a2e 0000 0001 ' luje!svj. ' PR_LOGIN 0101 0101 0001 0101 0101 0101 0101 0100 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0100 0000 0000 0000 0101 0101 ' ' PR_LOGIN 0101 0100 0000 b21a 22c3 69b8 786c 0000 ' " i xl ' PR_LOGIN 0000 0000 0000 0000 0000 0000 ffff ffff ' ' PR_LOGIN ffff ffff 0000 0000 0000 0000 ffff ffff ' ' PR_LOGIN ffff ffff ' ' See? It even gave us a little ASCII printout! Wasn't that nice of it? It'll ask you to press enter a few times before giving you the passwords for all users. So once you've got it, you'll probably notice a few things. For one, there's a lot of exclamations in the password file. Secondly, the dadmin account will probably read something like this; PR_LOGIN 6461 646d 696e 0021 214b 5621 5953 2121 'dadmin !!KV!YS!!' PR_LOGIN 2121 2121 214b 5621 5953 2121 2121 2101 '!!!!!KV!YS!!!!! ' PR_LOGIN 0101 0101 0101 0101 0101 0101 0101 0100 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0200 0000 0000 0000 0201 0101 ' ' PR_LOGIN 0101 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 ffff ffff ' ' PR_LOGIN ffff ffff 0000 0000 0000 0000 ffff ffff ' ' PR_LOGIN ffff ffff ' ' So why so many exclamation points? The exclamation point is a null character as far as the passwords are concerned. The byte I highlighted in bold is the one responsible for the user ID. So I'm going to change the password for craft from crftpw to crftpw1 and re-run the TCM shell command. There's a byte you can change in the RAM to make it force you to change your password. It's good in a situation like this where the switch won't let you change your password normally. It's sort of a pain in the ass to find, but let me know if you want me to point it out. Anyway, you'll notice the first two lines just changed to this; PR_LOGIN 6372 6166 7400 006c 7577 7231 636e 2121 'craft luwr1cn!!' <-- crftpw1 PR_LOGIN 2121 216c 7577 7221 636e 2121 2121 0001 '!!!luwr!cn!!!! ' <-- note old password stays the same (crftpw) This would be a good time to mention the Definity has two copies of your password, as you've no doubt noticed. But the old one stayed the same in this case, as far as I can tell, to enforce the password policy. Namely so that when your password expires, you can't just change it back to the old one. So what changed? Just one character - the 1 at the end. And sure enough, one of the null characters changed to a 1. Obviously though, it's not just as simple as scrambled characters. So next, let's change the password to aaaaaa1. PR_LOGIN 6372 6166 7400 007a 7a7a 7a31 7a7a 2121 'craft zzzz1zz!!' <-- aaaaaa1 PR_LOGIN 2121 216c 6977 7237 636e 2121 2121 2101 '!!!liwr7cn!!!!! ' <- crftpx2; I did a little trial and error before doing this. Notice the position of the 1 stayed the same. So at this point, it's obvious they're just substituting one letter (or number) for another. I'll save you some time here, and just say since a translates to z, b is x, c is c, d = v, e = b, and f = n. So with that in mind, let's figure out how this stupid byte swapping trick they're doing works. 5624713 efbd6ac PR_LOGIN 6372 6166 7400 0062 6e78 7639 7a63 2121 'craft bnxv9zc!!' <-- abcdef6 PR_LOGIN 2121 216e 6e6e 6e39 6e6e 2121 2121 2101 '!!!nnnn9nn!!!!! ' So there you go. First is the fifth password character, then the sixth, second, etcetera. Cute. So when encoding... a = z, b = x, c = c, d = v, e = b, f = n, g = m, h = a, i = s, j = d, k = f, l = g, m = h, n = j, o = k, p = l, q = q, r = w, s = e, t = r, u = t, v = y, w = u, x = i, y = o, z = p, 1 = 1, 2 = 7, 3 = 2, 4 = 8, 5 = 3, 6 = 9, 7 = 4, 8 = 0, 9 = 5, 0 = 6 For uppercase characters, the same concept applies; A= Z, B = X, and so on. So here's something I've been waiting to see for a long time. Let's pull up the record for the init password. PR_LOGIN 696e 6974 0000 0065 3132 3265 6a68 2121 'init e122ejh!!' PR_LOGIN 2121 2165 3132 3265 6a68 2121 2121 2101 '!!!e122ejh!!!!! ' PR_LOGIN 0101 0101 0101 0101 0101 0101 0101 0100 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0001 0101 ' ' PR_LOGIN 0101 0100 0000 7de9 d15e 9ce8 a068 0001 ' } ^ h ' PR_LOGIN 0000 041b 0000 000c 0000 0000 ffff ffff ' ' PR_LOGIN ffff ffff 0000 0000 0000 0000 ffff ffff ' ' PR_LOGIN ffff ffff ' ' Using the concept we just talked about, we can infer that the default init password is n3m3s1s. So just to check, I changed the craft password to n3m3s1s; PR_LOGIN 6372 6166 7400 0065 3132 3265 6a68 2121 'craft e122ejh!!' <-- n3m3s1s; same as init password. Lulz. PR_LOGIN 2121 2143 5670 5836 6f5a 2121 2121 2101 '!!!CVpX6oZ!!!!! ' Can you say insecure? The Definity can! Or as it'd say, ctjbwse12b2! . If you'd care to learn the order of the remaining bytes (that's the maximum length of 11 characters), that's "insecure133". EDIT: I talked with Chronomex earlier, and she pointed out that the characters map to the keys on a Qwerty keyboard backwards. Somehow Nortel got the idea this substitution cipher/byte swapping thing was a good idea too, so you'll see the something like it on Meridians. There's actually an NES game that did a better job at this.
  6. On release 8, if you boot up with translations it'll want a challenge/response for inads, but that goes away if you boot it with no card. The thing about ASG is I dunno where it's pulling the keys from (maybe there's some default values on the ROM? I know ASG exists for release 6, but it isn't turned on by default. I definitely didn't generate a key for inads). From the stuff I've been able to dig up, it's not particularly strong either; it's an 20-digit octal key plus a 4-8 digit PIN. The response it's expecting is a seven digit number. Speaking of which, a 20-digit octal key is 112 bits, right? Didn't a lot of older crypto stuff use a key of that particular length? If someone here is familiar with cryptography, would you mind filling us in on why that might be? EDIT: Before anyone asks, it's not 3DES. It came out long before 1998. Another EDIT: I have the Linux PAM module for Audix if you want it. There shouldn't be anything stopping you from putting the card back in and booting normally if nothing I talked about worked, though. Might as well write a backup of the card to your computer if nothing else. ASG Soft Key User Guide.pdf
  7. 608-227 9100 - 100-type test 9101 - Busy via SS7 9102 - 102-type test 9103 - Same as 9171 9104 - Same as 9171 9105 - 105-type test 9107 - Messed up echo test 9108 - Echo test (9110-9119 skipped) 9150 - Ringout 9151 - NIS rec 9152 - ACB rec 9153 - CBCAD/# DISCO rec 9154 - Network difficulties rec 9155 - Dialing 1 not necessary rec 9156 - Dial 1/0 first rec 9157 - rec, "To reach a long distance operator, please hang up and dial 1-800-OPERATOR." 9158 - Party doesn't accept blocked calls rec 9159 - LD CBCAD rec 9160 - rec, "The number cannot be reached. Please hang up and try again later." 9161 - rec, "The number called is busy. A special ringing will tell you when the line is free. Please hang up now." 9162 - rec, "You have canceled your request. Please hang up now." 9163 - rec, "We're sorry, the custom calling feature you've requested is not available from this line." 9164 - rec, "We're sorry, you have dialed your call from a telephone that has call restrictions, or you have dialed a number which cannot be reached." 9165 - rec, "KMC Telecom...Thank you for choosing KMC Telecom for your long distance service." 9166 - Same as 9157 9167 - rec, "The number was free, but it has just become busy again. A special ringing will tell you when the line is free. Please hang up now." 9168 - rec, "To reach a long distance operator, please hang up and dial 10-222-00." 9169 - *57 success/"small surcharge" rec 9170 - *57 fail rec 9171 - rec, "We're sorry, the number you are calling cannot receive calls at this time. Please hang up and try your call again later." 9172 - rec, "Your call has been completed. However, the party you have called is not receiving calls at this time." 9173 - rec, "Thank you for calling. We are sorry to delay your call. Please stay on the line and a representative will assist you in just a moment." 9174 - Same as 9173 9180 - Cognitronics MCIAS 1610 administration modem 9181 - Cognitronics MCIAS phone administration menu 9183 - Cognitronics MCIAS, "Flexible announcement system" Also, the University of Wisconsin has a centrex that'll terminate traffic to any local number without passing ANI. Oh, and there's a toll-free number going to it - 800-330-8829 . That's an Avst VMS, by the way, connected directly to a 5ESS.
  8. Sure! I had to go through this myself, only without the benefit of an account on the translations card to work with. Depending on what software release you have (if you're trying to install a C-LAN card, I assume it's a fairly late release. I don't think it'll work with anything below release 7) you have a few different options here. 1) The easiest is to just boot the system with no translations card installed. Once you've got it running, log into it with the username inads and the password indspw. Go ahead and insert the memory card into the reader. Or just skip all this crap and if you have something that accepts linear flash (ATA flash for the later systems) PCMCIA cards, just stick it in that. Anyway, assuming you're doing the Definity method, type 'upload translation'. Or maybe it's download; I think they made it to be upload from the Definity instead of to the terminal emulator. On one, it'll copy the flash card's contents into RAM and say "Prepare to receive file". Use xmodem to receive the file, and you'll have a copy of the passwords (albeit XORed or something; it's not anything particularly sophisticated. I don't know the algorithm, but I can give you as many plaintexts as you want if you need them. It doesn't seem to be anything standard, but it looks like Base64 at first glance) from the switch. 2) If you have a release 6 or lower processor, you can boot with no translations card again, and overwrite the bytes for the init (superuser; the one that lets you activate any feature you feel like having) password with the ones of a password you know (there's no RAM protection; the rva command should let you do this. I'll attach a ramdump of the pam process to this post). For added shits and giggles, there's even a byte you can change to make a password expire. In some situations, that might be the only way you have to change it. I dunno a lot about the way the header works, but in release 6 and 8, there's a byte that indicates what type of account the username is - or maybe it's an account ID. By default, It's 0x00 for init, 0x01 for inads, 0x02 for craft, and I think the rest are in descending order of account privileges. It might be possible to have two init or inads accounts. However, if the init account is set to prompt for an ASG login (which in release 8/+, it is by default), it'll try and give you a challenge/response for the init account. If you do have a release 8/+ translations card, one thing I've found you can do is change the account ID for the init account to 0x01 (so it doesn't prompt for an ASG challenge/response), write the password to one you know, and then write it back to 0x00 when you're logged in. Though you'll get slightly higher privileges than the inads account, it seems to know what you're doing, and disables the option to change purchased features. Or activate the switch to begin with >.< . For release 8/+, I think there's really only one course of action that can be done at the moment; log in as inads (or init with the above method; the only difference is under inads, it'll try to hide this, but it'll still accept it) and type 'go debugger local'. The switch has a lot of nice things in here, including a simple disassembler. If you speak R3000 assembly, you can probably figure out why/how the switch knows you've been screwing around with the accounts. Judging by how it complains about my *cough* modded release 6 card, I assume the init password is derived from something specific to the software version, and newer releases, knowing that, will complain if you've changed it. If you decide to take this route, lemme know. There's a bit more detail I can go into about the debugger and general Oryx/Pecos operation. 3) You can boot it with no translations card, and upload a fully unlocked release 6 translations backup I made to your card. On newer releases, this'll still work, but you'll be relegated to release 6 features, and it won't let you save; the newer processor releases seem to know something is up, and will claim the card is corrupted. Normally I'd just upload it, but there's some stuff I'd rather not have public on the translations backup I made. Lemme know if you want it. pam.bin pam_r8.bin
  9. Frontier updated the branding on a couple of switches for Express Dialtone, so I assume they do it; 503-658-0000 208-765-0003 (this one is amusingly bad) The ex-Iowa Telecom parts of Iowa still have the original GTE branding on their recordings. I guess they haven't done it for a while; 515-733-1263. I know the ex-Centel parts of Centurylink do (or did at one time) something like this, but have an IVR for it. Along with other things like their anonymous call rejection IVR, you might be able to still reach it by dialing something in the 959-90xx or 91xx range on one of their switches.
  10. I had sort of a tough time with this independent DMS, but there's still a few nice things in it; 336-886 3896 - Non-suping feed of sound from switchroom 3894 - Doorphone 3890 - Broadworks "collaboration center"/conference 3799 - Business office closed recording 336-887-0002 - 300 baud modem
  11. Maybe talking to the 101-0288-0 operators would be a good idea? They have to accept the cards, so I'm assuming they know where to get them. EDIT: Did you notice the bitrob noise between the ticks? I wonder if it's trying to seize some sort of non-SS7 trunk and listen for a wink or something. For what it's worth, Windstream seems to operate a postpaid calling card platform of some sort. It sounds like it's running on some sort of Dialogic hardware; . On what terms they'll sell it to you is anyone's guess, though. That's definitely true of AT&T and Verizon. They seem to be trying to transform themselves into some sort of software defined cloud as a service company that they're not particularly well equipped to try and be, especially against people like Google and Amazon in an already over-saturated market, and certainly not in the timespan they're expecting. Sort of like a 50something Wall Street middle-manager waking up one day and deciding he wants to be an overnight hip hop sensation. Some of the other companies like Centurylink and Cincinnati Bell I have more sympathy for. They seem like they've just historically followed the market leader, and facing some pretty nasty times, just aren't sure what to do. Thankfully, they're not (or at least I don't think) all that way.
  12. Regardless of where it's routing though, isn't it going to need CPN under any circumstance to be useful? EDIT: Sorry, I misunderstood the question. 10-digit PSAP numbers can already unmask privacy bits. I'm sure it's some sort of test case; they probably wouldn't go to bat against regulators for a single customer - especially a relatively small one. Maybe they plan on offering some sort of Trapcall-esque service to people? I'm not sure what the circumstances are, but there can't be any better excuse than doing it for an emergency service.
  13. So earlier, someone found this curious doohickey at a Lowes; 650-452-1063 Also, another scan for shits and giggles. Note the voice of that IVR being the same one as the Qwest Update Center (888-206-8052, etc) 360-532 0000 - Business 0001 - rec, "The number cannot be reached now. Please hang up and try again later." 0002 - Ringout 0003 - Busy signal via DMS 0004 - Dialing 0 not necessary rec 0005 - DISCO/NIS rec 0009 - AIS report, # in service 0010 - Ringout 0011 - Busy signal via DMS 0012 - Ringout 0015 - Ringout 0016 - Ringout 0017 - Busy signal via SS7 0018 - Reorder via distant end 0019 - Reorder via distant end 0020 - 100-type test 0022 - 100-type test 0023 - rec, "You have reached the NPA 564 test message." 0024 - Ringout 0025 - 102-type test 0026 - Echo test? 0028 - Modem 0029 - Ringout 0030 - *57 fail rec 0031 - Ringout 0032 - 100-type test 0033 - Long silence to RO 0034 - Reorder via distant end, probably not DMS 0035 - Reorder via distant end, probably not DMS 0036 - ACB rec 0037 - Reorder via DMS? 0038 - Reorder via distant end 0039 - Ringout 0040 - Busy line/repeat dial rec 0041 - Weird PBX on POTS line 0043 - Ringout 0044 - Qwest IVR, "Sorry, your party could not be reached. Goodbye." 0045 - rec, "This local call now requires ten digits. It is not necessary to dial a one when calling this number. Please redial using the correct area code." 0046 - DATU 0047 - Telco facility trouble rec 0048 - EDRAM stock ACB rec 0049 - EDRAM stock CBCAD rec 0050 - Qwest IVR, "Sorry, your party could not be reached. Goodbye." 0051 - DISCO/NIS rec 0052 - EDRAM stock YCDNGT rec 0053 - EDRAM stock permanent signal rec 0054 - Coin deposit rec 0055 - CBCAD/check your instruction manual rec 0056 - EDRAM stock dialing 1 not necessary rec w/weird SITs 0057 - EDRAM stock dial 1 first rec w/weird SITs 0058 - CBCAD from the phone you are using rec 0059 - Reorder via DMS 0060 - Business, ported to Comcast 0061 - Business, ported to Comcast 0062 - rec, "Your call has been completed. However the party you are calling is not taking calls at this time." 0063 - *57 success rec 0064 - LD service restricted rec 0065 - Party doesn't accept calls w/privacy bits rec 0068 - CBCAD/call your attendant to help you 0069 - DATU 0070 - 105-type test 0071 - Subscriber w/older Panasonic AM 0072 - 105-type test? On POTS line 0073 - Modem? Related to 0072 0074 - 105-type test 0076 - Reorder via DMS 0077 - Subscriber w/newer Panasonic AM 0078 - Subscriber, ported to Comcast 0079 - Subscriber 0080 - DISCO/NIS rec 0081 - Reorder via distant end 0083 - rec, "The number cannot be reached now. Please hang up and try again later." 0086 - CAC error rec 0091 - rec, dialing CAC not necessary rec 0092 - rec, CAC required 0093 - Reorder via distant end 0094 - Network difficulties rec 0095 - Subscriber
  14. For the moment, it's only one customer, but I found it interesting anyway. See the document for yourself;
  15. So in spite of the title, this actually isn't all that interesting. See, after the recent attack in France, we had another "free calls for X hours" deal going on. So I thought it'd be the perfect opportunity to scan the hell out of an exchange (in this case, a small one in rural, southern France; I figured it'd be just a single exchange, even if just a remote) to find out exactly where the test numbers were kept. Didn't work out so great, but for the record, everything is here. Hopefully we can all use this as a starting point to see where the test numbers are not. You'll notice there's some numbers here that are just blank. This is because the carrier I used, though for the most part decent, occasionally had some annoying routes that would either just superimpose fake American ring over everything, or just sit there and do nothing other than play discomfort noise forever. The idea being I'd get to them later if it seemed like there might be anything nice. +33-5-63-65-xxxx 0000 - VMB 0049 - Subscriber 0050 - Error from international gateway switch? 0051 - SS7 error message 0052 - Subscriber w/Orange VMB 0053 - SS7 error message 0054 - SS7 error message 0055 - VMB w/musical intro, transcoded 0056 - SS7 error message 0057 - SS7 error message 0058 - SS7 error message 0059 - SS7 error message 0060 - Ringout 0061 - Same as 0062 0062 - IVR? Transcoded, hangs up after short announcement 0063 - 0064 - VMB 0065 - 0066 - Ringout 0067 - SS7 error message 0068 - 0069 - Long silence to VMB 0070 - Ringout to Orange VMB 0071 - Ringout 0072 - Long silence to VMB 0073 - Ringout 0074 - Subscriber? Something silently picked up and hung up the phone 0075 - 0076 - SS7 error message 0077 - SS7 error message 0078 - SS7 error message 0079 - 0080 - 0081 - Ringout to Orange VMB 0082 - SS7 error message 0083 - 0084 - SS7 error message 0085 - Ringout to Orange VMB 0086 - SS7 error message 0087 - 0088 - SS7 error message 0089 - SS7 error message 0090 - Long silence to Orange VMB 0091 - Ringout 0092 - SS7 error message 0093 - SS7 error message 0094 - SS7 error message 0095 - Other SS7 error message (ISDN lines occasionally give this one) 0096 - SS7 error message 0097 - SS7 error message 0098 - VMB 0099 - Ringout 0100 - 0101 - Ringout 0102 - Ringout 0103 - SS7 error message 0104 - SS7 error message 0105 - 0106 - Subscriber 0120 - VMB 0199 - 0200 - SS7 error message 0300 - 0400 - Subscriber 0500 - Ringout 0501 - 0502 - Subscriber 0600 - Ringout 0601 - SS7 error message 0700 - SS7 error message 0800 - SS7 error message 0900 - Ringout 0999 - SS7 error message 1000 - Ringout to Orange VMB 1100 - Subscriber 1111 - SS7 error message 1200 - Fax 1300 - SS7 error message 1400 - SS7 error message 1500 - SS7 error message 1600 - SS7 error message 1700 - 1800 - Fax, ported 1900 - SS7 error message 2000 - SS7 error message 2100 - SS7 error message 2200 - SS7 error message 2222 - SS7 error message 2300 - Subscriber 2400 - 2500 - Subscriber 2600 - SS7 error message 2700 - SS7 error message 2800 - Subscriber 2900 - SS7 error message 2999 - SS7 error message 3000 - 3100 - SS7 error message 3200 - SS7 error message 3300 - SS7 error message 3333 - SS7 error message 3400 - SS7 error message 3500 - SS7 error message 3600 - 3700 - SS7 error message 3800 - SS7 error message 3900 - Ringout 3901 - SS7 error message 3902 - Ringout 3903 - Ringout 3904 - 3905 - SS7 error message 3906 - Subscriber 3999 - Ringout 4000 - 4100 - SS7 error message 4200 - Ringout to Orange VMB 4300 - SS7 error message 4400 - SS7 error message 4444 - Ring x4 + loud clunk + ACB via SS7? (subscriber picking up and hanging up phone? Doesn't make sense...) 4500 - SS7 error message 4600 - Ringout to AM w/AMBE greeting 4700 - 4800 - Ringout to VMB, possibly Orange 4900 - SS7 error message 4999 - SS7 error message 5000 - SS7 error message 5100 - Ringout 5200 - 5300 - SS7 error message 5400 - SS7 error message 5500 - Ringout 5555 - Ringout to Orange VMB 5600 - SS7 error message 5700 - SS7 error message 5800 - SS7 error message 5900 - SS7 error message 5999 - SS7 error message 6000 - SS7 error message 6100 - SS7 error message 6200 - SS7 error message 6300 - SS7 error message 6400 - SS7 error message 6500 - Transcoded ringout 6600 - SS7 error message 6666 - SS7 error message 6700 - SS7 error message 6800 - SS7 error message 6900 - SS7 error message 6999 - SS7 error message 7000 - SS7 error message 7100 - 7200 - Ringout 7201 - SS7 error message 7202 - VMB 7300 - Orange VMB? 7301 - SS7 error message 7302 - Busy signal via SS7 7303 - Ringout 7400 - SS7 error message 7500 - Subscriber 7600 - SS7 error message 7700 - Ringout 7777 - SS7 error message 7800 - SS7 error message 7900 - Ringout 7999 - Ringout 8000 - SS7 error message 8100 - SS7 error message 8200 - IVR? Suddenly goes to fax in the middle of greeting 8300 - Ringout to VMB. Orange? 8400 - Subscriber 8500 - Ringout 8600 - 8700 - 8800 - SS7 error message 8888 - 8900 - Orange VMB? 8999 - Ported? Different ring. Subscriber 9000 - SS7 error message 9100 - Fax 9200 - SS7 error message 9300 - SS7 error message 9400 - SS7 error message 9500 - Subscriber 9600 - SS7 error message 9700 - SS7 error message 9800 - SS7 error message 9900 - Ringout to VMB 9999 - SS7 error message EDIT: I should add I called those two numbers that pick up and quickly disconnect a few times several hours apart, so there's probably a pretty good chance they're not people.