• Content count

  • Joined

  • Last visited

  • Days Won


ThoughtPhreaker last won the day on August 12

ThoughtPhreaker had the most liked content!

Community Reputation

119 Expert


About ThoughtPhreaker

  • Rank
    Dangerous free thinker
  • Birthday 11/02/1991

Profile Information

  • Gender

Contact Methods

  • Website URL
  • ICQ

Recent Profile Visitors

30,556 profile views
  1. So, couple things: Much like the US West switches in public service, 611 seems to wait for more digits. I have no idea what it does in or out of a lab environment, but on the lab DMS, it'll wait for three more digits (excluding 1/0; those go straight to reorder). On the 5ESS, it waits for seven. Also, on the DMS, 1-720 seems to go to different places than just 720; 720-993 for example terminates to the Sonus with a 1 first for some reason. Also, on exchanges in that area code that won't complete for some reason, it'll wait for four digits as well instead of the usual three. Hopefully, this'll wind up being a good way to teach translation logic on these two switches. There's a lot I want to figure out about how they anticipate digits.
  2. Only AT&T operates them right now; they were a bunch of LECs that bought them for intra-LATA switching, but those were replaced with DMS-200s. My guess as to why those were replaced is there was limited expertise available to run them, and a lot of collective, expensive headscratching. For AT&T, it's a little different; they developed the 4ESS with Western Electric/Nokia/whatever from the ground up to be a good toll switch; feature-wise, the software gives it a leg up over the DMS family for that. I'm guessing less so for local operations considering AT&T-owned local carriers like Pacific Bell phased them out years ago, But to answer your question, well, maybe. The older 4ESSes are pretty damn old, but in the world of circuit switching, that doesn't mean a whole lot. All the hardware is on easily replaceable cards, so you can replace stuff as needed; it's not like PCI or anything. You can just disable a card, yank it out, and shove something else in it's place. The processors are redundant, so you can do this with them too. A switch that was installed thirty, forty years ago has probably had most of it's earlier cards replaced with updated versions at some point, so it's not like running a car that old. But the last 4ESS was installed in 1999. Assuming nothing is interchangeable with the 5ESS (it very well could be; you'll see design decisions like that sometimes), it's possible the manufacturer is trouble finding components for repairs and new cards. Though considering Nokia currently holds pretty much all knowledge about it, top to bottom, I'd find it hard to believe they couldn't just do a limited run of more parts if they were up against the wall. They have a good enough business relationship with AT&T that they'd definitely do this if it was a problem. Considering Nokia end of lifed the 4ESS, my guess is AT&T specifically made some decision to phase it out. As I said before, the current executive leadership at AT&T has gone through a pretty huge ideological change. They've decided the only way for the company to survive is to make a frantic rush towards IP telephony, a very significant change with how they were run before. They've tried replacing the 4ESS with all sorts of things over the last couple decades; 5ESSes, DMS-250s, even some sort of weird custom switch in the nineties. For whatever reason though, that never panned out. In line with "everything needs to be IP right now" thinking, this is probably the best answer they could come up with.
  3. From the sound of it, I'm pretty sure that 800 number is sending an SS7 cause code that resets the DMS-100 line back to dialtone. There's a real number (866-202-9985) that'll do this to a lot of the DMS-100s in my area. I like the idea of looking for 800 numbers like that, though. For whatever it's worth, 1-800-333-3333 is a local ringout of some kind.
  4. From what I understand, Genband really, really doesn't like to do this, and will whine and drag their feet the whole way if you want to plug a C20 into old cards. As for the lifespan of the 5E/DMS/other TDM switches, the engineers running these things seem like they're ready to keep them in good condition for a long time, and big telcos freeze like deers in headlights whenever you ask them to invest money in anything. The real question is probably more regulatory than anything else; will the current crop of regulatory actors tell the local exchange carriers that they can walk away from their customers? And more importantly, will they be able to make that stick? I try not to dabble in politics too much here, but local exchange service would be caught up in the same legal battle as regulated trunking for CLECs, wholesale providers and other types. The lawyers from public interest groups, carriers with a lot of CLEC interests, etcetera would more than likely pile on quite fast. And this would be in addition to the cases accumulating from the net neutrality stuff. I think the economic incentive for that was a lot stronger because even ten years ago, there were only ~40 1AESSes, including three that belonged to Verizon. And that particularly project took them six years to complete. Phasing out the 1As probably gave AT&T legroom to stop paying Nokia for 1AESS support, let go of their specialized 1A staff (which is relative, I guess; I understand very few actually knew how they worked), and gave them the flexibility to not have to keep special practices ready for non-digital offices. Considering the much more readily available amount of knowledge, relative similarities between packet and digital circuit switches and sheer number of switches, it'd probably be of pretty limited financial - and certainly service benefits to start phasing circuit switched end offices out. If you want to save money on running a central office, there's probably much better ways to invest, like in solar power to offset the cost of powering everyone's phone line.
  5. 415-228-0016 - Modem [likely for MCI infrastructure] CONNECT --- Secure Sentinel - User Authentication --- Please Enter User ID -> 415-228-0052 - Modem CONNECT Fannie Mae GTACv6 Username: 415-228-0053 - MCI GETS forward 405-533-9995 - Plays two bursts of dialtone +44-1315-36-7777 - rec, "You have reached an imported test number on BT. Bianca Switch."
  6. Basically, it's there for login security. I think the VxWorks stuff in the orange card is to upgrade firmware for the circuit packs; the TN799 and 2501AP, for example, both have a microcontroller that runs VxWorks, and there's options in the user interface for sending firmware. These cards actually have an Avaya response to a fairly serious CVE: . That's a good question. I don't suppose "rpm -i *.rpm" is such a great answer, is it?
  7. So after some consideration, I thought here would be a good place to post some info on some US West integration lab switches. There's no real potential for fraud given the circumstances, and plenty for good fun. These are, as the name would suggest, isolated almost entirely from the PSTN. 303-707-9122 and 9123 are the access numbers. 9122 is a DMS-100, the latter a 5ESS. So, well, where to start with these things? As you probably expect, the dialplan is sort of make it up as you go along. There's some common ground between the two, but the differences are quite easy to rack up. So, well, listing this stuff seems like as good a way as any to present it. By the way, the 5ESS has a more digit-by-digit translation style, so it can be easier to find stuff through, but it's harder to tell where a call is going. The DMS-100 makes a soft tick on inter-office calls and sounds louder on intra-office stuff. DMS-100 things: 1-800-555-1212 goes to a cryptic IVR asking you for a destination number Some CACs go to a Sonus stock recording (no doubt a lab Sonus), others just go to reorder 720-993 (lab DMS-10; -1000 is remote call forward dialtone) is available Some CLASS features like *67, *82 available. *69 works occasionally. The first time I tried it, it told me 720-995-3037 called, the second it just turned it's nose up. 303-444-4444 gets wrbly live rep of some kind 5ESS things: Some CLASS features like *60, *63, etc available. 011-anything rings out to a Qwest UM VMB Generic, blanket numbers that ring out to the Qwest UM VMB do it via some other switch; the DMS-100 does it on it's own Generic, blanket numbers going to the Qwest UM VMB do not allow you to enter another account number, unlike the DMS 303-444-4444 gets ACB recording 602-379-9999 rings out via 5ESS to some other UM VMB, allows entering in whatever account you want. You'll notice quite quickly that it doesn't have any UM VMBs in public service. 406-958-xxxx goes to Sonus Other stuff: 303-994-00xx go to Qwest update center (*78) IVR with weird context 720 and 303-99x, 98x seem to be where the most interesting stuff is. 720-995: 0399 - NIS via lab 5ESS 1000 - lab DMS-100 ringout? Via lab 5ESS, gets NIS 1001 - NIS via lab 5ESS 2999 - lab DMS-100 ringout 3000 - Qwest busy line doohickey 3001 - Ringout to Reorder 3002 - Same as 3001 3003 - Same as 3001 3004-3006 - Reorder 3007 - Same as 3001 3008 - Reorder 3009 - Ringout 3010 - Ringout 3011 - Busy signal via ? 3012 - NIS via lab 5ESS 3013 - NIS via lab 5ESS 3014 - NIS via lab 5ESS 3015 - NIS via lab 5ESS 3016 - NIS via lab 5ESS 3017 - Ringout 3018 - Ringout 3019 - Ringout 3020 - Ringout to Embarq Meatwitch VMB 3021 - Ringout 3022 - Ringout 3023 - Ringout 3024 - Ringout 3025 - Ringout 3026 - Ringout 3027 - Ringout 3028 - Ringout 3029 - Ringout 3030 - NIS via lab 5ESS 3031 - NIS via lab 5ESS 3032 - NIS via lab 5ESS 3033 - Ringout 3034 - Ringout to UM VMB 3035 - Ringout to Meatwitch VMB 3036 - Ringout to Meatwitch VMB 3037 - Ringout to Meatwitch VMB w/greeting 3038 - Ringout to Meatwitch VMS, cannot send message 3039 - Ringout to UM VMB 3040 - Ringout to Meatwitch VMB, lab VMB for 720-995-3040, 303-396-9346 3041 - Ringout to 5ESS NIS rec 3042 - Ringout to Meatwitch VMS 3043 - NIS via lab 5ESS 3044 - NIS via lab 5ESS 3045 - NIS via lab 5ESS 3046 - Ringout to NIS via lab 5ESS 3047 - Ringout to NIS via lab 5ESS 3048 - Ringout to NIS via lab 5ESS 3049 - Reorder via DMS 3050 - Ringout 3051 - Ringout 3052 - Ringout 3053-3099 - NIS via lab 5ESS 3100 - NIS via lab 5ESS 3999 - NIS via lab 5ESS 4000 - Busy via ? 4100 - Ringout to Meatwitch VMS 5000 - NIS via lab 5ESS Other 5ESS fake toll prefixes: 206-358-? 541-245-? 928-xxx-xxxx? 612-374-? 575-606-? As for calling these things, there's a few things that you should probably know. If you want to make multiple calls on the same call, press ##. The phone patch will beep twice. Press ** in reasonably rapid succession and it'll get you a new dialtone. Sometimes when you press * normally, it'll do this annoying thing where it doesn't pass the DTMF to the switch, but briefly increases the volume level. If you want to pass a * when it does this, wait for the volume level to return to normal before pressing * again. On regular calls, *# can be used to flash. Much like any other, the 5ESS will consider a flash on any sort of local intercept or reorder a request for new dialtone. Have fun! Post if you find anything cool . Or for that matter, if you have any questions. Most of these notes were made without a big audience in mind, so some of the terms (UM, for example is Unified Messaging. The Centurylink platform in ex-US West areas is an AT&T Labs Unified Messaging thingie if I understand correctly) aren't especially obvious.
  8. Nokia owns it now. The ex-Lucent team still treats it like their baby if I understand correctly. They still do support for the switch and sell replacement parts for it. The DMS family (including if I'm not mistaken the CS-2000; the C20 - the product Genband now markets is hardware-wise somewhat different), despite being forsaken by Genband, has ex-Nortel people looking after it: .
  9. Woah! Are there any recordings of this? Or better yet, any way to access this network over the phone? I can't exactly see Russia from my house, but I'm on the very western tip of the US. Just say the word and I'll throw up a phone patch, SDR, and whatever antenna works well for VHF.
  10. There's another number to that; 3438. If you're hitting a route that gives you g.729 (sorta ruins that catchy song), it's not a bad idea to try both a few times. Interestingly, the transcoding seems to come on after the C5 chirps; those (and sometimes some Australian sounding ring) are always clear as day. So now when I found this - I actually think I found it with radio_phreak, but when I did, I was about as excited as you can expect. But something wasn't quite right. If you do a RESPORG lookup on 3438/7, it comes back as using the MCI/0222 network. If you call the number directly terminating to the Malaysian destination (you'll find it with a bit of searching) over MCI though, it's end to end SS7. After trying a bunch of carriers with no success, the theory we wound up with is that they were re-originating via a third party country; likely Australia, to shave a few cents off termination charges. Interestingly, when you hop on a conference on that access number, it'll allow you the option to contact customer service for the company, which is based out of Denver. The route you get is _definitely_ not C5. For whatever it's worth, there was another number until semi-recently; 3439 that routed a little differently. Usually it was more likely to get a transcoded route, or other weird things - one route had 450 hertz ringback before the call went offhook quite a lot . But anyway, for whatever it's worth, during Hurricane Sandy it gave you an error recording from a Santera OCX. If I remember right, the other numbers worked fine though. One thing I've noticed is during that song they play for hold music, sometimes it likes to disconnect you in weird ways. The hold music in question passes some notes a few times that definitely sound like 2400 hertz, so I wonder if that has anything to do with it (maybe we should pay attention to the supervision status), or if it's just an apathetic operator hanging up on you. Incidentally, when the call tears down with 2600, you'll hear this curious reorder tone from the international gateway that sorta fades in and out. Based on this, I wonder if it's a type 1 EWSD: . So this isn't exactly C5, but a while ago, I found some Axtel DMS logs on Scribd. No, seriously. You can see from there they have quite a few R2 trunks provisioned for end users: 142785363-switch-a.pdf . We were playing with this on the bridge a few months ago - something I sorta want to get into again at some point; a few people seemed pretty excited about it. There's one particular number, +52-818-114-1500 (on the AX2P42 trunk group; labeled STA_CATARINA_CALL_CENTER_PBX_R2. If you look at page 224, you'll see the trunk group type configuration for this and many others; there's a bunch of R2 trunks with generic labels) that will send a backwards 4 in MFC (780 + 1140 hertz)to the switch - indicating a network error when it messes up. Which it occasionally does. Dunno how or if these can be seized, but it seemed worth mentioning. Speaking of which, I don't have the number for this; I had the bright idea of putting it on the speed dial for a calling card and then letting it expire, but Russia has some sort of strange signaling - perhaps another R2 variant floating about in their network. This particular call I remember being to Siberia: weirdmfs.flac . A lot of their switches use whatever this is. It enables them to send vacant number conditions and such over their signaling network. All I do here besides try and hit some DTMF is whistle 2600 twice; once to seize the trunk, and another time to make the switch get all angry. The tones you hear are the standard R1 frequency set, but obviously an R1 trunk never barks MFs back at you. EDIT: Crap, I forgot about the Cuba stuff. From what I understand, Havana if no other place has a reasonably modern network of Alcatel gear. As for the fixed GSM terminals, there's some older documents on Cuban telecom infrastructure lying around. All of them seem to point towards the Cuban fixed network being very over capacity. That could have something to do with that particular addition. As for Paraguay, radio_phreak mentioned to me a while back a particular set of numbers that would route to C5 trunks over some carriers. I believe it was +595-528-222-xxx. Back to the C5 stuff though, does anybody know where we can find a protocol spec document for it? That'll probably help us with some of the oddities we've found on some of these trunk groups. Another EDIT: Holy shit, another EDIT: portugal_c5.flac One (hopefully) last thing - for anybody looking for international credit, I've found to be pretty good for the most part. Most of their routes look to be resold MCI, the rates are reasonable, and it tends to be decent quality. It is a callback service though, so it can be a little clunky for a large number of calls like in a scan. DMS-10 loops can be a good way to make this a little less painful. I feel kinda gross giving out a plug like that, but given the relative obscurity of the service and the content of the thread, it seems appropriate.
  11. Out of curiosity, don't they have to have FGD trunks anyway for toll-free origination? Assuming they don't send that to someone else.
  12. They put in a couple every year. They don't all (but typically do) replace one when they're installed. Given the sluggish time frame, how many they're going to install is probably a question of how AT&T's politics work out for them in the long term. The current band of executives has been responsible for some borderline irrational decisions in the past, like grandfathering all non-IP services on their CLEC divisions in 2013. No, seriously. Their CLEC network was then and still is, aside from a few Sonuses, pretty much all circuit switches, and much of their voice over IP traffic is hauled to the customer over T1 circuits. It's like a halfbaked version of Apple's decision to remove the floppy drive/audio output/whatever else from their products.
  13. If you want to borrow my TN2402, well, it's not like we live too far away from each other . Basically the only use for mine until licensing comes along is this. Incidentally, I think there's a slightly more recent orange card on eBay right now if someone wants it. This one has "CM 2.1" (which would be release 12.1) lightly scrawled on the back.
  14. 518-694-3000 - A NEC doohickey providing voicemail service for Firstlight Fiber. Try pressing 555-1# when it answers. Incidentally, the switchroom has a voicemail account. Who said scanning was hard? 262-392-1201 - Dialtone. I'm told this is some sort of telco centrex thing that has three digit extensions.
  15. So I think I found a bridge that should work great; 510-940-0102. It's a ringout like all the rest, in an urban area so least cost routing won't be an issue, unused, and isn't going through any extra garbage. Barring any problems, this should be the last change.