ThoughtPhreaker

Members
  • Content count

    1,616
  • Joined

  • Last visited

Community Reputation

95 Knowledgable

1 Follower

About ThoughtPhreaker

  • Rank
    Dangerous free thinker
  • Birthday 11/02/1991

Profile Information

  • Gender
    Male

Contact Methods

  • Website URL
    http://
  • ICQ
    0

Recent Profile Visitors

28,795 profile views
  1. Actually, they shut down the GSM network too; only T-Mobile provides large-scale GSM service in the US now. I'd argue that probably has more to do with AT&T's corporate politics than general obsolescence, but if T-Mobile follows suit, we'll definitely talk. But yeah - as others have said, by 2008, basically nobody made new stuff that spoke AMPS, and it used up a considerable amount of spectrum to boot. I don't think surveillance is a huge issue to most consumers judging by how the Snowden leaks have gone down, but A5/1, the encryption standard used in GSM, has been considered insecure for quite some time now. I dunno about UMTS and LTE, but you do hear about people devising attacks against them occasionally. To what degree though, I'm not quite sure. EDIT: https://en.wikipedia.org/wiki/KASUMI That being said, I think CDMA has been facing the axe as well. From what I understand, that has a lot to do with Qualcomm doing licensing on an annual (or monthly, I forget which) basis. Once they end of life the base station equipment, unless you can find some way to bypass the licensing (which would probably be a serious breach of contract. No established carrier would dare upsetting a big manufacturer like that), it's basically a paperweight; end of story. Someone who works with that sort of thing has remarked that a lot of recent carrier-side infrastructure is no longer made with the idea of longevity in mind. Hmmmm! I wonder if I should start carrying something that searches for AMPS signals on long trips. Could you flip through FCC licenses to get an idea of who might be doing this?
  2. So not too long ago, Ramsaso brought to my attention that Nokia/Alcatel-Lucent didn't EoL the 1AESS because they didn't want to support it anymore, but because AT&T cancelled their maintenance contract. Since they were the last 1A support customer, they dismantled the last lab 1AESS in Naperville, Illinois. That got me thinking about a lot of things, but most importantly, if they had a 1AESS lab in Naperville, what else do they have there? The answer? I have no idea, but they have two whole exchanges - 630-713 and 630-979 assigned to them. This might be one of those cases where having a thing that isn't a person dial numbers for you might actually be a good idea. Even for a group project, 20,000 numbers is a bit much. Especially here; if you look around, you'll discover it's, er, a little underwhelming for a place where there's switch labs. But given the potential reward for finding something fun here, I thought I might mention it anyway. Never know; sometimes if you just dial around for patterns like x000, x999 or whatever (though maybe not those specific ones here, sadly), you'll find stuff. Anyway, 630-979-4000 is probably the most useful number of the bunch - this doohickey is the custom voicemail platform someone came up with. It sounds like an engineer farted it out in a day or two, but it has a working name directory if nothing else. The system has a weird way of arranging phone numbers. For example, 630-713-1744 maps out to 2-873-1744 internally. 630-979-9599, likewise, is 2-879-9599.
  3. Sure, but some end offices have them too: 971-230-0019, 503-416-1124, 208-364-0120. For what it's worth, Washougal is a DMS-10. As far as I know, the EDRAM cards with the Noot Lady only work on DMS-100 family switches. The DMS-10 manual mentions some kind of equivalent though, so I could definitely be wrong. For whatever it's worth, RBOC lines coming into that building are from PTLDOR69, so it's also possible it's just something from the Capitol DMS-100. I could swear they put Pat Fleet stuff on that switch though.
  4. The way I did mine was a bit weird; the server in question doesn't have a VGA card, so I did the first installation stage on a VMWare instance, loaded it onto a hard drive with another OS, SSHed in, and then simply used dd to copy it to yet another drive. That was just the OS installation though; all the RPMs were installed just the same as everybody else's. At the end of the day though, I installed it onto an old 20 GB (from that same Dell when a bigger drive was put in, actually) IDE drive I don't have much use for otherwise. There's nothing particularly special about it. Anyway, sorry this has taken so long. I do actually plan on uploading an image with this at some point so we can get to the bottom of what's going on. Aside from the hardware concerns though, I would like to shuffle around some data (mostly voicemails; the passwords on a machine like this are obviously throwaways) before giving it out. I did have it answering my phone for a while when I wasn't around.
  5. Dimension L1000R
  6. If memory serves me right, that rules out McLeodUSA, TW and XO; only the Integra and MCI DMSes have no trailer code. My money is on Integra.
  7. Sure, could you? Sorry it took me so long to respond; it's been a weird month. The PSU in question is a Dell HP-P1457F3.
  8. Yup! Every night.
  9. The AT&T OSPS (101-0288-0) should let you call out with an ANI fail if you feel the need for it. 0222/0555 (goes out via 0222 in the mid-Atlantic)/0333 are I think the other CACs that allow UIFN origination. Each of them gives a slightly different experience. For example, from another thread ( http://www.binrev.com/forums/index.php?/topic/47028-portugal ), that number won't work with the Sprint CAC, might very well still give you some sort of C5 trunk, and like many numbers in Europe, you'll get some weird thin click sound on the AT&T route (though it looks like MCI has followed suit for this particular destination. It wasn't always that way) as your call gets set up and torn down. Since it happens on so many places, I've been wondering if it went over some weird tandem with relays in it. For a while, I speculated with some friends that it might be a Philips PRX-A, but that doesn't seem to be the case.
  10. Maybe. There are cases where you'll sometimes terminate to different tandems in a country that do separate things. The most important thing to look at here is the least cost routing table, though - especially for international calls. There's a Wikipedia page that explains a lot about this: https://en.wikipedia.org/wiki/International_telecommunications_routes A lot of countries - possibly like the one you're calling judging by how the call is terminating, will send a cause code back via SS7 to tell the caller the number isn't in service. I think some US switches may do this if a call is marked as coming from abroad. Anyway, under normal circumstances when that happens you'll just get a recording back from your originating office. If a country is expensive to call or a carrier is just cheap, sometimes you'll see arrangements where SS7 cause codes are unable to make it back to the subscriber, so you'll get messages from a switch in some foreign country. Though what you get isn't necessarily always normal; there was one route to Vietnam that would give you a dialtone after whatever you were calling - even a non-suping recording hung up. For example though, calling Cuba via AT&T for a while, you'd sometimes get a recording from a Japanese switch. Depending on how shady the originating route is, sometimes you'll get particularly amusing things. For example, in the US, 712-580-9999 is an ANAC in a part of the country notorious for people racking up termination fees from conferences and such. So if you're calling from something sketchy enough, sometimes it'll read back the number of some random POTS/cable/cell phone number that was used to re-originate the call. I've heard from people who look into that sort of thing more than I do that if voicemail happens to be bundled with the line in question, you can hear some particularly amusing messages being left on those things. On the POTS ones, people who do this will change their long distance carrier pretty much every couple months. Carriers tend not to like it when you do this. Anyway, here's a good example of the pros and cons of these routes. Sometime before 2014, there was a crossbar in Moscow (+7-495-362-xxxx if you want to poke about the range) that you could call. Here's a recording chronomex made to it over a Callwithus account circa 2009 or 2010 or so: russiancall3.wav Indescribably awesome sounding, but over a pretty soul crushing codec. This, on the other hand, is what you'd get dialing the same thing from MCI: russiancall2-edit.wav Worlds better sounding, but it cuts through too late to hear the call setting up. Instead, you're stuck hearing someone affirm that old sounds the same in every language. But that's still kind of a cool teardown noise. For whatever it's worth, the AT&T international gateways will always stop you if you dial 0 after the country code in a lot of places. I dunno about other carriers, though. There is always the possibility that the international gateway switch has some code it'll route on incoming trunk groups to an interesting/far off place. I've never had a very solid grasp of any other country's numbering plan, but since you mention it, I might have to run the idea past a few friends in the UK .
  11. Sure! It'll take a few, though; I'll have to find a juggling act that'll work to get that copied, let alone uploaded. A brownout knocked out the power supply to my server and a few other nice things, so until I figure out what to do with it, everything will be going sort of slowly. It's a Dell desktop from like a hundred years ago; it works perfectly fine for the tiny CPU load it gets, but it's one of those stupid ones with the proprietary PSU pinout. This is the second OEM power supply that's died during a brownout, and replacing it is getting to be an annoyance. So my options here are to get another one and just ride it out until the next brownout - not something I'm especially keen on, finding a third party one that's hopefully built better, trying to find the pinout online and kluging a standard ATX supply into there (I think there's more -5v lines than there are on a standard ATX connector), or throwing a perfectly good machine in the garbage and replacing it with something probably significantly more powerful for next to - or possibly nothing.
  12. I hope people are getting something out of this thread. At least for me, exploration really keeps the ball rolling with phones. Anyway, here's a bunch of stuff I've found in my spare time the last few weeks: 541-318-0000 - *57 success rec 541-317 0000 - Ringout 0001 - Ringout 0002 - Ringout 0003 - Ringout 0004 - Ringout 0005 - Ringout 0006 - Ringout 0007 - Ringout 0009 - Ringout 0010 - Ringout 0011 - Ringout 0012 - Ringout 0013 - 102-type milliwatt 0014 - rec, CBCAD/call the business office for assistance 0015 - Ringout 0017 - Ringout 0018 - Modem 541-738 0000 - Qwest UM VMS 0001 - AIS report, DISCO 0009 - AIS report, DISCO 0010 - Qwest UM VMS 0011 - Qwest UM VMS 0012 - DATU 0015 - Thingie, answers with three ~480 hertz beeps, waits for DTMF 0016 - NIS rec via Meridian 0020 - 102-type milliwatt 0021 - # forwarding to call screen IVR, rings out w/o privacy bit (CNAM: CENTURYLINK) 0023 - Loopback test 0024 - Messed up loopback test (loud!) 0025 - Ringout 0032 - 100-type test 0034 - YCDNGT rec 0035 - Ringout 0080 - 105-type test 0082 - CBCAD rec 0083 - Ringout 541-302 0000 - Ringout 0001 - 300 baud modem, prompts "password:" upon connect 0002 - Ringout 0003 - 1200 baud modem, prompts "password:" upon connect 0004 - Ringout 0005 - Same as 0003 0006 - Ringout 0007 - Same as 0003 0020 - 100-type milliwatt 541-485-0000 - Modem (CNAM: GREEN LEAF RIVE) 541-334 0002 - Ringout 0003 - Busy via SS7 0004 - Ringout 0005 - Ringout 0006 - Busy via SS7 0007 - Ringout 0008 - Ringout 0009 - Ringout 0020 - # cannot be reached from calling area rec 0021 - rec, "The number called is busy. A special ringing will tell you when the line is free. Please hang up now." 0022 - 105-type lookalike 0023 - rec, "The number called cannot be reached. Please hang up now." 0024 - rec, "You have canceled your request. Please hang up now." 0025 - rec, new Fleet, *57 fail rec 0026 - rec, "The number was free, but it has just become busy again. Please hang up. You may reactivate if you wish by dialing the original code." 0027 - *57 unavailable rec 0028 - rec, "Your call has been completed. However the party you are calling is not receiving calls at this time." 0029 - *57 success rec 0030 - Ringout 0031 - rec, "The number cannot be reached now. Please hang up and try again later." 0032 - NPA changed to 541 rec 0033 - Ringout 0034 - Ringout 0035 - Ringout 0039 - Ringout 0040 - Caller not accepting calls w/privacy bits rec 0041 - New Fleet rec, Centurylink call blocking test - not blocked 0042 - Ringout 0043 - Ringout 0044 - Modem, same as 302-0001? 0045 - Ringout 0046 - Ringout 0047 - Ringout 0048 - Ringout 0049 - Ringout 0050 - Ringout 0051 - 100-type test 0052 - Ringout 0053 - Ringout 0054 - Ringout 0055 - Ringout 0056 - Ringout 0057 - Ring + long silence + reorder via SS7 0058 - Modem, 9600 baud, PLEASE ENTER YOUR PASSWORD ===>> 0059 - Same as 0058 718-384-9900,9904 - DMS-100 DISA dialtone 360-293-0069 - NPA changed rec via GTD-5 Cognitronics doohickey 410-333 9999 - Silence, supes 9998 - Silence, supes 9997 - rec, "The number you have dialed for the University of Maryland at Baltimore has been changed. The new number is 706 plus the last four digits of the old telephone number. Please make a note of it. Thank you." 9996 - DISCO/NIS rec 9995 - rec, calls w/privacy bit blocked 9994 - Silence, supes 9993 - *57 fail rec 9992 - rec, "We're sorry, we are unable to complete this request because the number you have called has become busy again." 9991 - rec, "You have just de-activated this feature." 9990 - rec, "The number you have called is busy. If it becomes free in the next thirty minutes, you will hear a special ring when the call can be attempted. Please hang up." 9989 - rec, "This service cannot be activated because the telephone number is not in our serving area." 9988 - *57 success rec 9987 - Supes silently 9986 - Anonymous call rejection service off rec 9985 - Anonymous call rejection service on rec 9982 - Ringout 9981 - rec, "You have reached the Housing Application Office of the Housing Authority of Baltimore city located at 300 Cathedral street, the fourth floor. When an interviewer answers your call, please state your application number, name and address. Calls are accepted between 9 AM and 3 PM." 9978 - rec, "You have reached a non-working number at the University of Maryland Baltimore. Please check the number and dial again, or contact 410-706-3100 for assistance. Thank you." 9972 - Weird, loud/messed up loopback test 9971 - Loopback test 9969 - Busy signal via 5ESS 9968 - rec, "Thank you for calling the University of Maryland Medical System. All of our attendants are currently assisting other calls. Please hold, and your call will be answered in the order it was received. Thank you." 9967 - Ringout 9966 - rec, "At this time, the party you have called is not taking calls." 9965 - Ringout 9964 - Ringout 9963 - Ringout 9962 - ACB via SS7 9961 - Ringout 9960 - ACB via SS7 9958 - Ringout 9957 - Click + 15A announcement noise 9956 - Reorder via 5ESS 9955 - rec, "You have reached Citibank. The number you have dialed is not in service. For further assistance, please call 637-2100." 9954 - rec, "You have reached the department of housing and community development housing inspection services complaint section. All of our lines are busy. Plese hold. Your call will be answered in the order it was received." 9953 - rec, "Please redial this number by using the access code and the seven digit number. Dialing the area code is no longer necessary." 9952 - rec, "One-fifty seven channel three" 9951 - rec, "We are sorry, the number you have reached is not in service. If you are calling Kerr Steamship, please dial 962-5200. If you need help, dial your operator. This is a recording." 9950 - rec, "The number you have reached is not in service. If you are calling Miran(?) Towing Company, please call 962-6500. If you need further help, please call your operator." 9949 - rec, "The number you have dialed, 333-1000, is no longer in service. If you are trying to call a Maryland state agency, please refer to the blue pages of your local telephone directory or call directory assistance. Thank you." 9947 - rec, "You have reached a non-working number for the University of Maryland medical system. Please check the number and dial again, or contact 328-8667 for assistance. Thank you." 9946 - Blank or broken 15A channel 9945 - rec, "The number you have reached is not in service. If you are calling Montgomery Ward, please call 244-2000. If you need further help, please call your operator." 9944 - rec, "The number you have dialed at Maryland National Bank has been changed. The new number is 605 and the same last four digits of the number you just dialed. Please make a note of it." 9943 - rec, "If you are calling a government agency in the Baltimore area and do not have the number, check your local directory or call directory assistance. 9942 - rec, "The number that you have reached is not in service. If you are calling the Traveler's Insurance Company, please call 962-6262. If you need further help, please call your operator." 9941 - CBCAD/call your attendant to help you rec 9940 - Network difficulty rec 9939 - Ringout 9938 - Ringout 9935 - Ringout 9934 - Ringout 9933 - Ringout 9932 - Ringout 9931 - Ringout 9930 - Ringout 9924 - LD CAC required rec 9920 - Dialing LD CAC not necessary rec 9916 - Ringout 9915 - Ringout 9914 - CAC error rec 9913 - ACB via SS7 9912 - Silence, supes 9911 - Dialing 950 not necessary rec 9910 - Dial 950 before CAC rec 9909 - rec, CBCAD from the phone you are using 9908 - # cannot be reached from calling area rec 9907 - Telco facility trouble rec 9906 - rec, "The number you have reached is not in service. If you are calling the Department of Social Services, please call 361-4700. If you need further assistance, please call your operator." 9905 - Coin deposit rec 9904 - CBCAD rec 9903 - YCDNGT rec 9902 - Permanent signal rec 9901 - Dialing 1 not necessary rec 9900 - Dial 1 first rec
  13. 303-223-9995 - Dialtone via Global Crossing Local Services DMS-500 213-455-9999 - Same thing, but via a CS-2000 in Anaheim. Both are toll restricted, so hopefully they'll be used to hone better switch playing techniques instead of being abused. Also, note the noticeable delay and comfort noise on the calls, even when you're local to them.
  14. Sure, but keep in mind that the one time password algorithm for the Definity is based on DES. I'm not a crypto guy, but based on what I know about DES, having faith in that even if an attacker doesn't have the keys seems like a dangerous game. Much like the passwords as well, the ASG keys for init and inads are probably the same for every processor using a specific build. Though I guess the problem with that is you don't know what build it is until you log in or physically look at the sticker on the processor. This'll definitely have to be explored further at some point - maybe they use the same inads or craft or whatever key on every build. Ostensibly, yeah. The header and object files we got from the RPM should allow anybody who uses it in their code to encode and decode license keys, and from the look of the functions, probably make and test valid ASG keys as well. The idea behind disassembling the object files was to try and get an idea of how the functions work - and that's still a valid choice, but it might be less work to just use them as is through trial and error. Of particular note in asg.h is this: struct lic_info { unsigned char version[4]; unsigned char filler[6]; unsigned char hexkey1[8]; unsigned char hexkey2[8]; }; along with the four functions in license.h . Since gewt has a switch with a valid license, I was hoping we could use this to test data we know for sure works against anything we happen to write with these ASG functions. Sure! I'll send you a PM.
  15. As much as I wish something like that were true, I don't think it is. Here's how I understand it: The server processing your calls has no involvement in the local calling area. It's, let's say for example, in Texas. Wherever Vonage feels is cheapest and has the best internet connectivity. When your call hits the switch - or really, the call agent (if I understand correctly) in voip terms in Texas, it does a ported number dip on what you're calling, and looks at a least cost routing database. From there, it determines the cheapest carrier to terminate traffic to whatever exchange you're calling. Sometimes this is via a switch in the terminating local calling area. Other times, it's terminated back onto a toll trunk and completes like a normal long distance call. It all depends on what's more practical for the carrier. If it's an expensive destination, sometimes a carrier will use under the table methods of terminating traffic. https://en.wikipedia.org/wiki/International_telecommunications_routes For incoming, it's a little different. A DID provider will have their own switch in your local calling area - probably something made by Sonus, and they sell those incoming numbers to Vonage. Vonage uses bandwidth.com DIDs if I remember right. Anyway, when it hits the number, it sends the call via the internet to that switch in Texas, which in turn knows to relay it to you. Anyway, as JCSwishMan said, the analog telephone adapter in your house counts rotary dial pulses itself. What it thinks you're done dialing, it'll put the digits in the SIP invite header along with other information, and send it to the switch in Texas. All good, man. Almost everybody starts in this sort of hobby in their teens. If someone implies they're in that age group, I think it's just an unspoken truth here.