• Content count

  • Joined

  • Last visited

  • Days Won


ThoughtPhreaker last won the day on July 12

ThoughtPhreaker had the most liked content!

Community Reputation

166 Expert


About ThoughtPhreaker

  • Rank
    Dangerous free thinker
  • Birthday 11/02/1991

Profile Information

  • Gender

Contact Methods

  • Website URL
  • ICQ

Recent Profile Visitors

32,436 profile views
  1. I've been working a little bit with the Definity today, and thought an update would be warranted: So through some quick trial and error and comparing to older releases, I was able to find the 2560 byte blob that is the license file in the translations, an identical copy stored in RAM by the fg_mapa process. Strangely enough, there seems to be some sort of redundant copy of this around somewhere; if you start manipulating the copy in fg_mapa and tell the switch to test the license, it'll very quickly change it back to what it should be. Thankfully, the switch comes with some very nice debugging utilities that should make figuring out where it's getting another copy to fix this (it isn't the translations card; I tried pulling that out. Though obviously, if you corrupt the copy on the translations card, it's going to have a much harder time getting another copy from RAM when you reboot. This helped verify a lot of this) a lot easier. There's going to be a few things to consider here, like how an actual license file differs from what the Definity stores (you're supposed to be able to paste it in using the ossi interface on the switch. The Definity won't accept the license you pull from RAM, however), but all in all, this should make the rest of the process a lot less painful.
  2. Heh, now that's sort of a weird coincidence. I was working on a Linux Diva dialer earlier today! This is in C, but given the similarities of the API calls, feel free to use any of this if you find it useful; it's just a modified version of demo code and the default tone detection rules. If it interests anyone enough, I'll get off my ass and make it multi-channel/a little more script friendly. That being said, imho, there's a much more practical use of telephony boards like these though. Granted, this is written for a CG6565E (also modified demo code. I do write actual things; the CG cards are sort of an annoyance to develop for though, so I'm keeping away from it for now), but take a listen: nmsscan.wav . The star key is returning the last four digits of the number being dialed. 6 is being used to move that number up by one, and five is being used to play back what happened on that particular number. Other than that, all signal processing is manual. Sorry about the noisy/low volume to the distant end; there's a reason for that. But more to the point, notice we blew through nine numbers (with a lot of ringouts) in the span of two minutes. If anybody wants the prefix of this though, it's 720-746. A compromise of these two ideas would be amazing; something that, for example, let you review scans, but skip over common things like vacant numbers, or perhaps more importantly, numbers that just ring and go nowhere. As the recording demonstrates, that's easily the most time consuming part of a scan. Though it can also be rewarding long term if you're looking to learn how to compare the sound of ringback from one switch type to the next. > /*----------------------------------------------------------------------------- * * Copyright 2001-2014 Dialogic(R) Corporation * * All Rights Reserved. * * This software is the property of Dialogic Corporation and/or its * subsidiaries ("Dialogic"). This copyright notice may not be removed, * modified or obliterated without the prior written permission of * Dialogic. * * No right, title, ownership or other interest in the software is hereby * granted or transferred. The information contained herein is subject * to change without notice and should not be construed as a commitment of * Dialogic. * * This application code is not part of any standard Dialogic product and is * provided to you solely for the purpose of assisting you in the development * of your applications with Dialogic Diva SDK. The code is provided "AS IS", * without warranty of any kind. Dialogic shall not be liable for any * damages arising out of your use of this application, even if it has been * advised of the possibility of such damages. * *----------------------------------------------------------------------------- * Sample for an outgoing call including streaming a file. * * The sample shows how to connect a single call, to stream a message and to * disconnect. The sample is started from the command prompt. The phone number * to dial and the file to stream must be specified as parameter. * * Note that this sample is designed to show very simple how to process a * single call and to stream audio. Therefore the sample does not do any * error handling. *----------------------------------------------------------------------------*/ #include <stdio.h> #ifdef WIN32 #include <conio.h> #endif #include <string.h> #include "dssdk.h" /* * Some globals */ DivaAppHandle hApp = NULL; DivaCallHandle hSdkCall = NULL; AppCallHandle hMyCall = NULL; void CallbackHandler ( DivaAppHandle hApp, DivaEvent Event, PVOID Param1, PVOID Param2 ) { switch (Event) { case DivaEventEarlyDataChannelConnected: // Geez, what a mouthful... if ( DivaReportTones( hSdkCall, TRUE) != DivaSuccess ) { printf( "Failed to initialize tone reporting. Disconnecting...\n" ); DivaDisconnect ( hSdkCall ); } // Instruct the board to create a timer that expires after 30 seconds if ( DivaStartCallTimer( hSdkCall, 30000 ) != DivaSuccess ) { printf( "Fuck, something is really wrong; we can't create a timer event.\n" ); DivaDisconnect ( hSdkCall ); } else printf ( "Call progress received! Listening for network events...\n" ); break; case DivaEventCallConnected: printf( "Call suped!\n" ); break; case DivaEventCallTimer: printf( "Call analysis timed out. Disconnecting...\n" ); DivaDisconnect ( hSdkCall ); break; case DivaEventToneDetected: if ( Param2 == 201 ) printf( "Human speech detected\n" ); if ( Param2 == 138 ) { printf( "SIT tone received! Disconnecting...\n" ); DivaDisconnect ( hSdkCall ); } if ( Param2 == 160 ) printf( "SIT 0 received.\n" ); if ( Param2 == 161 ) printf( "SIT 1 received.\n" ); if ( Param2 == 162 ) printf( "SIT 2 received.\n" ); if ( Param2 == 163 ) printf( "SIT 3 received.\n" ); if ( Param2 == 164 ) printf( "Operator intercept SIT received.\n" ); if ( Param2 == 165 ) printf( "Vacant circuit SIT received.\n" ); if ( Param2 == 166 ) printf( "SIT for recording received? What?\n"); if ( Param2 == 167 ) printf( "SIT for no circuit found received.\n" ); if ( Param2 == 134 ) printf( "Call is ringing...\n" ); if ( Param2 == 135 ) printf( "Call is ringing back. Specially...\n" ); if ( ( Param2 == 194 ) || ( Param2 == 195 ) ) { printf( "Modem or fax answer tone received.\n" ); DivaDisconnect(hSdkCall); } if ( Param2 == 198 ) { // This is probably not useful; 2200 hertz modem tones are in practice grabbed by the above rule. printf( "Oldschool modem answer tone detected.\n" ); DivaDisconnect(hSdkCall); } if ( Param2 == 136 ) { printf( "Call is busy. Disconnecting...\n" ); DivaDisconnect(hSdkCall); } if ( Param2 == 137 ) { printf( "Reorder tone came back. Disconnecting...\n" ); DivaDisconnect(hSdkCall); } if ( Param2 == 130 ) { printf( "Holy shit, we got a dialtone! Quick, go phr34kz0r it! NAO!!\n" ); DivaDisconnect(hSdkCall); } if ( Param2 == 131 ) { printf( "PBX dialtone received.\n"); DivaDisconnect(hSdkCall); } if ( Param2 == 132 ) { printf( "'Special' dialtone received. Don't you feel special?\n" ); DivaDisconnect(hSdkCall); } if ( Param2 == 133 ) { printf( "Stutter dialtone received!\n" ); DivaDisconnect(hSdkCall); } if ( Param2 == 202 ) { printf( "Answering machine tone (theoretically; 390 hertz) heard\n"); DivaDisconnect(hSdkCall); } break; case DivaEventSendVoiceEnded: DivaDisconnect ( hSdkCall ); break; case DivaEventCallDisconnected: hSdkCall = 0; DivaCloseCall ( Param2 ); printf ( "Disconnected\n" ); DivaUnregister ( hApp ); DivaTerminate (); break; default: break; } } int main(int argc, char* argv[]) { char DialString[100]; int c; if ( argc != 2 ) { printf ( "USAGE: numidentify <phone number>\n\n" ); return -1; } strcpy ( DialString, argv[1] ); // heh, strcpy. Don't look at me, it's not my code! You, uh, you might want to change this. printf("Version: %d.%d\n", (DivaGetVersion() >> 16) & 0xffff , DivaGetVersion() & 0xffff ); if (DivaInitialize() != DivaSuccess) return -1; hMyCall = (void *) 0x11223344; if ( DivaRegister ( &hApp, DivaEventModeCallback, (void *) CallbackHandler, 0, 1, 7, 2048 ) != DivaSuccess ) { return -1; } if ( DivaConnectVoice ( hApp, hMyCall, &hSdkCall, DialString, LINEDEV_ALL, "", "0", DivaVoiceOptionEarlyDataChannel ) != DivaSuccess ) { return -1; } printf ( "Number identifier running, press <ENTER> to terminate\n" ); while ( 1 ) { #ifdef WIN32 c = _getch ( ); #else c = getc (stdin); #endif if ( c == 'q' ) break; } printf ( "Number identifier stopped\n" ); DivaUnregister ( hApp ); DivaTerminate (); return ( 0 ); };
  3. The ability to use OSPS seems to be on a switch-by-switch basis. I'm not quite sure what the pattern is, but if you want to scope this out, I encourage you to check every office you can locally.
  4. I've had a few people report that in some areas where this doesn't work yet you home off of a 5ESS toll tandem (and can dial 101-0288# and get a dialtone from it), sometimes dialing 101-0288# and then 0 at the dialtone will work. I'm beginning to think this has less to do with the office you're coming out of, and more to do with something in the SS7 initial address message. EDIT: I'll try to confirm, but this exception may not apply to payphones.
  5. There's always been little slip-ups in the way AT&T restricts 800 numbers from 101-0288-0, for anyone old enough to remember that. But more recently, they've been doing some sort of weird call distributing technique; for example, if you're in one of these affected areas, they'll distribute calls to different OSPS switches throughout the country. Something about the trunk group you come in on instructs the network to allow 800 calls out from OSPS again from these areas. If you're around any of these areas, I've confirmed with some friends that it'll work: Washington, DC San Francisco, California Ontario, California Fresno, California Muskegon, Michigan Oberlin, Ohio Cincinatti, Ohio Lincoln, Nebraska Orlando, Florida Tampa, Florida Manchester, New Hampshire Denver, Colorado Dickinson, Texas Des Moines, Iowa Springfield, Massacheusetts Chicago, Illinois Rolla, Missouri Kansas City, Missouri Fargo, North Dakota As always, toll-free calls through the Honolulu and San Juan OSPSes will go through like they always have. There's also a few interesting scenarios, like tiny LECs with direct trunks to OSPS, where toll-free traffic has always gone through.
  6. Great to see some new faces! Especially in this thread. 0051 is a DATU. 0037 is a 105-type test as I think it's officially called. I think the idea is they do trunk testing. In any case, press 2, #, etc to make it produce tones and noise. 0 commonly hangs up on those things. 407-238-6209,6238 - Elevators on hotel PBX (Nortel Meridian) 407-238-6214 - Modem on hotel PBX: CONNECT CentOS release 6.5 (Final) Kernel 2.6.32-431.29.2.el6.x86_64 on an x86_64 XetaCAS_22832_MarriottRoyalPalms login: 843-414-0052 - rec, "We're sorry, your telephone is temporarily out of order. There may be a receiver off the hook. Please check your main telephone and extensions. Charleston, South Carolina. 843-1. CHTN." 502-753-0021 - 17A announcement machine 502-753-0059 - IVR, "Please enter your home phone number" 504-648-0010 - 17A announcement machine
  7. MtnHell and I talked about this a while back. It appears the switch is sending a battery drop and putting him back on his own dialtone. I've only seen a 5ESS reset like that a few times before in...ever. Usually only with very specific circumstances, like someone releasing a coin trunk, or CAC-0-710+ call attempts.
  8. For whatever it's worth, when I worked in broadcasting, most radio stations I saw used Telos NX12 or Vx hybrids. I would try to familiarize yourself with those (sometimes they have promotional videos with a DJ inside the booth - that'd be a good place to look for either) and see if you can match the sounds up with them. For whatever it's worth, in addition to the echo cancellation as Jman mentioned, there's also an option for other processing on most modern hybrids, like multi-band compression and automatic gain control.
  9. A friend of mine brought back Scanaday:
  10. Sure enough, 101-9017-1-405-959-0000 from a switch in Oklahoma City gets you some sort of weird test number from the tandem switch. Other stuff probably isn't far behind.
  11. There's several numbers nearby, like 752-8055, that go to an ANAC.
  12. It's a very low hanging fruit in terms of exploits; any random script kiddie bot that happens upon it is going to have a hell of a good day. Given how frequently ISP modems are compromised now (for example, one of the Actiontecs where a remote administration interface is permanently stuck on 4567 or 7654 or whatever; I've seen people with these get free, grimly successful security audits) and how little of a say users are able to have in securing them, if you have a minimal, "the ISP just gave me this modem so I hook stuff up to it" configuration, I wouldn't put Audix anywhere near the internet. If you don't want to use a dial-up modem to administer it, you could always use a KVM or something; I'd recommend this more than an isolated ethernet network simply because Audix is designed to use an old version of Netscape to access the web UI from itself. The system runs very old SSL certificates, wants you to execute very old Java applications, and wants you to use a very outdated SSH session to administer it. Security aside, you're going to have trouble finding browsers that want to deal with that. And then you'll have to configure Java to actually execute the administration program it feeds you, unless you can figure out what it's supposed to be running. If I remember right, the Avaya Java SSH thing runs 'exec Fc' after it logs in to access the administration program. Given both the obscurity and how the C-LAN card runs a functionally independent OS (an old build of VxWorks) from the switch, the Definity shouldn't be any trouble so long as you're okay with telnet. I'd still recommend using a modern Linux system with SSH and running the system with minicom. Or a dial-up modem, just because I'm that sort of person. I've detailed in this thread how the VT220 mode can be used with an off the shelf terminal. There are however, undocumented TCP ports open on the card. I doubt your average automated Chinese script kiddie scanner is going to pose a threat to it, but use your own best judgement on that. You're in the wrong place if you think some horrendously bootleg mismatch of hardware running Audix is some sort of hallowed Avaya prayer ground. Or certainly if you don't want to get creative and dirty up your install. Encouraging anyone not to touch it goes completely against everything the hacking spirit stands for, and certainly the spirit of the effort on this thread to turn paperweights into powerful systems again. That being said, if you're going to stick your head in the sand to the tune of a 16-year old Linux kernel, proprietary or otherwise, any very cursory nmap scan will give a very good idea of it's age to someone else. Perhaps you weren't paying attention when it was shown that the license file on these cards is encrypted using DES. With keys that're clearly sitting in the header files that we have no less. Or that the system has absolutely no RAM protection, allows you to read and write to any address you please freely as a higher level user, that we have init access on these releases, and that we know the RAM addresses where the ASG keys sit on the switch. It's certainly an annoyance, I'll grant you. Nobody has approached me offering to help sstep the pam process on the Definity while the license file is being read, and for that reason, my motivation on more computer-oriented projects has been more to wrangle up Dialogic cards into doing sketchy things like scanning. Someday it'll make me really happy to unlock my release 11 Definity card, and certainly help everyone else do the same. For the moment though, most functionality on it works fine, and until I see more initiative to collaborate on this, I don't especially feel like trudging through pages of MIPS instructions. What sort of hardware architecture the system runs on is inconsequential to the licensing routine. You've been repeating lines like this without providing any source or supporting evidence other than friends at Avaya, who're imaginary for all we know. Either you're some sort of Definity troll, or don't know what you're talking about.
  13. :I thought it'd be a good idea to keep a thread open for small, marginally interesting tricks that can be applied in the network. Especially since they can sometimes turn into larger things when they're explored. So, well, I'll start: In lots of ex-SBC areas, you can dial your home NPA + 700-4141 and get a recording from one of the local tandems (as in, a non-toll switch that handles calls between you and an exchange down the road or to a toll carrier) thanking you for choosing SBC as your intra-LATA toll carrier. Sometimes the switch blocks it or redirects it to your toll carrier, so you might have to use 101-0110 or 101-9017 to circumvent this. Also, HPNA-958/959-xxxx will try to complete from the operator IVR on these same switches, but seems to get a cause code or something back quite quickly. I dunno what this is supposed to reach or if some areas treat it differently than others, but usually you get a recording from the TOPS tandem when you hit something invalid.
  14. Like everyone says every time we do one of these, it's been a while! Show us your tastes in shameless materialism! $30 PCIE quad T1/E1 Dialogic DM3 card These are really nice cards for a number of reasons. The one holdback is you really need to know C to make them worth your while. If you have anything that speaks T1 and can stomach a bit of programming though, they are very much worth it. I'm running a similar model that routinely gets at least a couple hours of use every day. Cisco IAD2431-1T1E1 router. You can't beat a Meridian or Definity for home use - there's no getting around that, but these are surprisingly flexible for a home network if you can tolerate the Cisco CLI, have a channel bank to use some analog lines with, and don't have enough room for a larger PBX like the aforementioned ones (and don't want to write a switch program to work with the card I just linked; they have GR-303 stacks). These particular models do TDM hairpinning as well, so the call is end to end circuit switched when there's no DSP involvement. There's really cheap VIC modules for FXO, ISDN BRI (though it won't do data calls), FXS (I'd recommend the channel bank though; I like it better than the Cisco analog stuff), etc lying around as well to make it interface with whatever you have. Just beware; it does have IVR capabilities, but they kinda suck. Adit 600 channel bank. Cheap as they come, and as good as they get for home POTS stuff. They also do weird things like ISDN BRI if you can find the cards for them. 8434DX phone for the Definity. The VFD tends to be indescribably awesome on these, and on the later phones (post-1997 or so; look for any without the AT&T logo), have off the shelf Noritake VFDs you can get for cheap to swap them with. Especially nice if you get stuck with a set that has a worn VFD. Telos Zephyr; ISDN MP2/MP3 audio transceiver. These are buckets of fun if you have access to one; most radio stations and recording studios have compatible models you can connect to and get really nice sounding feeds of their mixing consoles from. Also, . The newer Xstream models tend to answer automatically for normal phone calls and patch you into their audio input instead of deny them as these do. Tascam DR-07; these are flash based field recorders. I've been using one for about eight years, and can attest to them being a great way to record your, er, mishaps on the PSTN, among other things. Also, they tend to not break. Nortel ISDN BRI phone.
  15. That's my site, yeah. The server PSU died about a year ago, and I couldn't be bothered with fixing it for a number of reasons. Here's the files you're looking for: