ThoughtPhreaker

Members
  • Content count

    1,710
  • Joined

  • Last visited

  • Days Won

    114

Everything posted by ThoughtPhreaker

  1. So a friend just sent a video to me which kinda made my head explode a little; . Anybody else wondering what's going on in this picture? Or all 23 or whatever per second? Something tells me this isn't a Millennium hooked into the Quortech hivemind.
  2. Sure! https://openload.co/f/oQnm-Rx-i08/AUDIX_LX_app_soft.nrg https://openload.co/f/_Zs_lgNFWds/IALXR2.0.SP2.sp As I mentioned towards the beginning of the thread, it'll format your hard drive without asking when the installer boots. Once you boot it, aside from the steps I talked about a couple posts before this, it'll set everything up.
  3. I dunno. To be honest, I've mostly stopped associating the age of equipment with any sort of relative interest; it's more about uniqueness. Superficially speaking, I guess the DMS-10 and the 4E are the oldest switches in the network when you think about design age. But the hardware has gone through a lot of revisions since it was first put in; a DMS-10 from 1977 isn't going to use PowerPC processors, SDRAM, or DSPs. The trunk cards are bound to be a lot smaller, larger capacity, and all that. One of my current theories is that DMS-10s with an Expanded Network configuration (if I understand correctly, Nortel underwent a project to revise the DMS-10's internal TDM network in the nineties, and significantly expand it's capacity in the process) may generate it's tones in a different way from the classic configuration, so for example the offhook tone won't have that characteristic weird modulation, and the ring will be a bit different. At some point, I'd like to make an up close and personal visit to a phone line served off two switches I know for sure are/aren't using this new configuration; I've seen some DMS-10s do some weird things, like bring you right to reorder if you flash from a payphone (and then to permanent signal if you do it again) that I'd like to compare side by side. Getting back to my point though, there's some stuff like older code (albeit maybe ported to a more recent OS depending on the switch) you're probably never going to get away from, but it's a bit superficial to say a switch is more or less old just because it's a certain model. That's a good question; there's a guy in IRC who was looking into C5 trunking not too long ago. I haven't been making that many international calls recently to be honest. But IRC and the conference are where most of the goings on are these days. At least judging by the regulars we get there, that's partly why the forums have been a bit empty. To be honest, I feel like I've been stretched thin for content at the moment between the rising numbers in the other two and some sudden shifts in real life circumstances. Anyway, I'd be surprised if everybody there wouldn't be down to help you with this. I definitely would be . I'm not exactly sure what you mean by old fashioned here, but I'm going to take a wild guess and throw this your way: ais_xtalk.flac This came as a complete surprise to me calling the Onancock, Virginia 5ESS a while ago. I'm going to go out on a limb here, and guess the recording I'm trying to dial is one you've heard about a million times if you've called any place Verizon hasn't sold off to another company yet. But more importantly, it shows that wherever there's robbed bit trunking, some circuit switches, and a situation where you really don't need more than just a destination and possibly ANI associated with a call, some switch engineer not wanting to chew up STP resources will throw everything up over a trunk with MF. At one point, I talked to someone who worked at a tiny, middle of nowhere telco about this particular scenario. From what he said, it sounds like it's common to reuse older T-carrier equipment occasionally that breaks channels out to 4-wire E&M instead of offering any sort of digital interface. They had some really old Lenkurt carrier system for 911 that did just this. Anyway, at some point, he thought the transmit and receive leads on one of the channels must've shorted. If you're looking to play with trunks, a lot of this stuff is hiding in plain view; for example, I learned from a reliable source that a certain large company's private T-carrier network (hint: it's one with lots of Rolms, and it isn't Macys) uses DTMF for inter-office signaling. I know this is possibly getting away from the premise of being oldschool, but getting back to the whole thing about DMS-10s, someone I know is served out of one from an independent telco. Being the good sport that they are, they were nice enough to let me play with the dialout feature on their APMax voicemail, (why almost literally every independent DMS-10 has one of these boxes, I may never know. Though aside from that ridiculous voice they have, they're not bad) since they noticed it was a bit...off. Sure enough, there's a bunch of six digit codes that terminate straight to a 5ESS tandem - I think an operator service one a long ways away from the switch. Several seven digit codes leave you stuck on a completely different tandem switch - I think for local stuff. Anyway, one of my pseudo-long term projects has been trying to figure out what exactly this is going to, why, and if it can be used to make some odd things happen. I'm optimistic to say the least. I'm not going to tell you the phone network is extremely relevant to every part of everyone's life. With the FCC stuff going on right now (long story short, same culprits as the net neutrality mess, same characteristic 180 on previous policies/ignoring of all objecting input, even from the industry. PM me if you want more info on what's going on/who is challenging the decision; the forum really isn't the place for this), it could potentially be in problematic shape down the road. But what I will say is when you explain what phreaking is all about to anybody in any technical circle - even when you get into tiny dry details, people listen. You wouldn't necessarily know it by the forums, but the community is growing too; I routinely hear new voices on the conference, something we could barely pitch up for two hours with four people when it started. Now we're entering territory where five hours isn't unusual, and it occasionally gets too crowded to get a word in. Here's my personal take on it: as the decade progresses, we've been sliding into a period where the internet is increasingly compulsory for things like work, but also the platform for an increasingly narrow set of companies, an increasingly politicized medium, and increasingly less anonymous. When you tell people there's a worldwide network that's can still be anonymous, as challenging as it is detailed and unique, and free of much of the drama from current events, the ideas behind being an 31337 phr34kz0r start to make some sense. The more creating, the more exploring and above all, the more inspiring that can be done... well, it can't hurt.
  4. The old version of Redhat comes with the software; when you boot the Audix installer, it'll write that to the hard drive. All the software you need to get it going is on there.
  5. I know this is a little overdue, but for anybody not too familiar with Linux, installing Audix is pretty straightforward. Before you start whatever machine will be running this, make sure the rotary switch on the card is set to zero; this helps identify the card ID to the software. Apparently, this matters a little less with the Windows drivers. Anyway, after booting the install CD, it'll copy all the install packages and reboot the system. Once it's booted, you'll get a login prompt. Type root at it, and you should get a command line. At there, type: mkdir /mnt/cdrom mount /dev/cdrom /mnt/cdrom vi /vs/bin/start_vs_now (there will be a single line in this script that tries to verify the hard drive serial before allowing the system to start. Press 'i' to input data using the text editor, and then put a '#' in front of the command. This will comment out the command, making the system skip the step. Press escape when you're done, and then ':w'. It should say it wrote the file. ':q' will get you out of there. Finally, type: ./mnt/cdrom/autoinstall This should get everything off the ground. Once it's done installing, barring any Dialogic software conflicts, it should Just Work. Anything else can be administered from the web interface. As I said before though, keeping a machine like this exposed to anything near the open internet is likely an extreme liability. Anyway, typing 'dmesg | more' should give insight into any additional conflicts. Use space and enter to scroll down; all the Dialogic messages will be at the very end. Also, when the system boots, it'll attempt to check for loop current on the phone line. If it can't find it or just feels like being annoying, sometimes it'll put the line in a state where it's permanently offhook, and stop paying attention to it. To get it to behave, tell it to run a diagnostic on the line and it'll check again. To do this, you may have to busy it out (MANOOS) before testing, and release when you're through. One final note - for anybody thinking about a D/41EPCI (also called a D/41ESC-PCI) card - if you know you're only ever going to use it for Audix - and just this version, there's a slight chance you may be able to get it to work; the old Dialogic 5.x system releases support the card, and a lot of the other weird odds and ends like ISA cards. I found an E locally for like, five bucks, shrugged and picked it up. So far, the system seems to turn it's nose up at it (though it was a little beat up to be fair. There's definitely a component that'll have to be resoldered, and possibly a cut trace). The current releases, however, won't work with it, so the development potential (or just the not running it on a really old OS potential) for them is quite limited. According to random people on the internet, they're half duplex anyway, The long and the short of it though, is it's probably not worth the $3 or whatever you'll save. If you do have one however, you'll have to avoid the pre-written config files the Avaya people put on there. There'll be some utilities you can use in the /usr/dialogic/bin folder to write a new one for this specific card; I think mkcfg and config.sh . Make sure it writes it to the /usr/dialogic/avaya/cfg/ directory (the path may not be exact on that one; I'm not in front of Audix, and the system I ran it on for like, a day was quickly repurposed for ISDN things). EDIT: Sorry. The start_vs_now script is copied after the autoinstall script does it's thing. Do it after ./mnt/cdrom/autoinstall
  6. I've been doing some digging lately. Nothing too impressive quite yet; these appear to be the ranges where they keep mostly just recordings: 580-251 9199 - ACB via SS7 9198 - Business w/T1? Ported to MCIMetro, allows dialing "eleven digit extensions". 9197 - Ringout 9196 - Ringout 9195 - Ringout 9193 - Ringout 9191 - Ringout 9182 - Ringout 9181 - Ringout 9177 - Subscriber 9175 - Several rings, hangs up 9164 - Ringout 9162 - Business 9161 - Business w/PBX 9159 - Ringout 9144 - Anonymous call rejection off rec 9143 - rec, "We're sorry, your call cannot be completed from the phone you are using. This telephone number will only accept select incoming calls." 9142 - Same as 9139 9141 - Network difficulties rec 9140 - CBCAD/CAC error rec 9139 - Dialing LD CAC not necessary rec 9138 - LD CAC required rec 9137 - rec, Dialing 950 before CAC not necessary 9136 - rec, "We're sorry, this telephone line is currently arranged for local calls only. The number you have called is not a local call." 9135 - Weirdly split up rec, dial 950 before CAC 9134 - Weirdly split up rec, # cannot be reached from calling area 9133 - Weirdly split up rec, 911 reserved for future emergencies? 9132 - Network difficulties rec 9131 - Weirdly split up rec, ACB 9130 - Weirdly split up rec, CBCAD from the phone you are using 9129 - Coin deposit rec 9128 - rec, party doesn't accept calls from anonymous numbers 9127 - rec, "We're sorry, it is not necessary to dial the area code. On long distance calls, please dial 1 or 0 first, then the number." 9126 - rec, Dial 1/0 + NPA first 9125 - Dialing 1/0 not necessary rec 9124 - NIS rec 9123 - CBCAD rec 9122 - Permanent signal rec 9121 - YCDNGT rec 9120 - rec, *57 success, refers to 800-281-4088 9119 - Ringout 9118 - Ringout 9117 - rec, "We are sorry we are unable to complete your request for call return, auto-redial or call trace. The number you have dialed or attempted to trace is not available with these services, or has call forwarding activated." 9116 - rec, "We're sorry, your call forwarding and selective call forwarding features cannot be active at the same time. Please consult your instruction materials or the business office if you need more information." 9115 - rec, "Thank you. The number you are trying to reach is busy. If it becomes free in the next thirty minutes, you will receive a special ringback tone." 9114 - rec, "Thank you. Your call return or auto-redial requests have been cancelled." 9113 - Ringout 9112 - rec, "We're sorry, the party you are calling is not accepting calls at this time." 9111 - Ringout 9110 - rec, "We are sorry, the line you are using is not equipped for this service." 9109 - rec, "We're sorry, the line you are trying to reach has again become busy. You will need to reactivate your feature." 9108 - Reorder with weird pulsating noise over it 9107 - Reorder via distant end 9106 - Reorder via 5E 9105 - 105-type test 9102 - 102-type test 9101 - Ringout 9100 - 100-type test 410-256 9999 - Telco facility trouble rec 9998 - Network difficulties rec 9997 - LD CAC required rec 9996 - Same as 9999 9995 - rec, Dialing LD CAC not necessary 9994 - 105-type test 9993 - CBCAD/CAC error rec 9992 - Damaged 15A channel 9991 - rec, LD CAC must be preceeded by 950 9990 - CBCAD/check your instruction manual 9989 - ACB via SS7 9988 - Ringout 9987 - Silence, supes 9986 - Baltimore County Government centrex NIS rec 9985 - White Wash(?) Police Station centrex NIS rec 9984 - Ringout 9983 - rec, M2 - Equipment Location: 57 - Channel: 7, Spare Channel - Perry Hall 9982 - Ringout 9981 - rec, Miscellaneous Frame 2, Equipment Location: 57 - Channel: 6, Spare Channel - Perry Hall 9980 - rec, M-Frame 2, Equipment Location: 57, Channel 5, Perry Hall 9979 - Ringout 9978 - Silence to eventual reorder 9977 - Ringout 9976 - Ringout 9975 - NIS/directory assistance thing 9974 - Ringout 9973 - Ringout 9971 - Ringout 9970 - Coin deposit rec 9969 - Busy signal via 5ESS 9967 - Ringout, forward to weird AIS report for 888-468-0145 <-- This appears to be some sort of kluge; whatever plays this will respond to DTMF. My guess is it was an old NOC number or something. Toll-frees near it don't appear to go to anything related unfortunately. 9966 - CBCAD rec 9965 - Ringout 9964 - ACB via SS7 9963 - Ringout 9962 - Ringout 9961 - Ringout 9959 - Ringout 9958 - Ringout 9957 - rec, "The person you are calling is busy. Please stay on the line." 9956 - Reorder via distant end 9955 - Ringout 9954 - Ringout 9953 - Ringout 9952 - ACB via SS7 9951 - rec, "The person you are calling is busy. Please try your call again later." 9950 - Ringout 9949 - CBCAD rec 9948 - Anonymous call rejection service on rec 9947 - Anonymous call rejection service off rec 9946 - Ringout 9945 - Ringout 9944 - Busy signal via SS7 9943 - Calls w/privacy bits not accepted rec 9941 - Ringout 9940 - NIS/directory assistance thing 9939 - rec, "We're sorry, the number of the last incoming call is marked private, and cannot be returned using this service. Please hang up." 9938 - Ringout 9937 - Ringout 9936 - Ringout 9935 - Ringout 9934 - Ringout 9933 - Ringout 9931 - Ringout 9930 - Ringout 9929 - YCNDGT rec 9928 - Ringout 9927 - Permanent signal rec 9926 - Ringout 9925 - Ringout 9924 - Ringout 9923 - Dial 1 first rec 9922 - Dialing 1 not necessary rec 9920 - Ringout 9919 - Ringout 9918 - Ringout 9917 - Ringout 9915 - Ringout 9914 - Ringout 9913 - Silence? 9912 - Silence? 9911 - Ringout 9910 - ACB via SS7 9908 - Ringout 9907 - Ringout 9906 - Silence to reorder via SS7 9905 - Ringout 9904 - Busy via SS7 9903 - Ringout 9902 - Ringout 9901 - Ringout 9900 - Echo test? 301-390 9998 - YCDNGT rec 9995 - CBCAD rec 9994 - Reorder via SS7 9993 - Same as 9998 9992 - CBCAD rec 9991 - ACB via DMS-100/200 9987 - Echoey thingie? 9984 - Ringout 9982 - # cannot be reached from calling area rec 9981 - *66 fail rec - # marked private 9980 - CBCAD rec 9979 - rec, anonymous call rejection service on 9978 - rec, calls w/privacy bits not accepted 9976 - rec, anonymous call rejection service off 9975 - rec, "At this time, the party you have called is not taking calls." 9974 - rec, "We are sorry. We are unable to complete this request because the number you have called has become busy again." 9973 - rec, "You have just deactivated this feature." 9972 - rec, "This service cannot be activated because the telephone number is not in our serving area" 9971 - Repeat dial activation rec 9970 - *57 unavailable rec 9969 - rec, Dial NPA+7d for local Maryland calls 9968 - *57 success rec 9966 - LD CAC CBCAD rec 9965 - Network difficulties rec 9964 - ACB rec, unusual voice 9963 - CBCAD/CAC error rec 9962 - Dialing LD CAC not necessary rec 9961 - Dialing 950 before CAC not necessary rec 9960 - Dial 950 before CAC Rec 9959 - Same as 9964 9958 - Dial 1 first rec 9957 - Telco facility trouble rec 9956 - CBCAD from the phone you are using rec 9955 - Reorder via distant end 9954 - Permanent signal rec 9953 - YCDNGT rec 9952 - Coin deposit rec 9951 - ACB rec 9950 - CBCAD rec 9949 - Reorder via SS7 9948 - Reorder via SS7 9945 - ACB via SS7 9944 - Ringout 9939-9920 - Ported to CRC Communications, business w/wrbly Shoretel 9919 - Ringout 9918 - Ringout 9917 - Busy via SS7 9910 - Ringout 9900 - Forward to cell 360-373 0000 - Ringout 0001 - 105-type lookalike? 0002 - rec, "The number cannot be reached now. Please hang up and try again later." 0003 - ACB rec 0004 - CBCAD from the phone you are using rec 0005 - Ringout 0006 - AIS report, # in service 0007 - Ringout 0008 - rec, dial 10d for local 0009 - Ringout 0010 - ACB via SS7 0011 - Busy via ? 0012 - rec, LD company experiencing temporary service problem 0014 - Reorder via ? 0015 - Modem 0016 - NIS rec 0017 - Ringout 0018 - Reorder via distant DMS-100 0019 - Same as 0018 0020 - 100-type test 0021 - Permanent signal rec 0022 - Ringout 0023 - YCDNGT rec 0024 - CBCAD rec 0025 - 102-type test 0026 - rec, Dialing 1 not necessary 0027 - Dial 1 first rec 0028 - Coin deposit rec 0029 - CBCAD/call the business office for assistance rec 0030 - 105-type test 0031 - Repeat dial line busy rec 0032 - 100-type test 0033 - Network difficulties rec 0034 - Reorder via distant end 0035 - CBCAD w/access code dialed rec 0036 - Same as 0018 0037 - Ringout 0041 - Telco facility trouble rec 0042 - LD CAC required rec 0043 - Ringout 0044 - Ringout 0047 - Ringout 0048 - Ringout 0051 - rec, "You have reached the Bremerton DS0" 0053 - 102-type test 0059 - Subscriber, ported to Astound Broadband 0062 - Ringout 0066 - Ringout 0067 - Subscriber w/Panasonic AM (left off here; too many subscribers)
  7. That's probably coming from whatever network you used to connect; some DMSes like to send an all circuits busy cause code after they play their announcements. I haven't done this on the ex-LCI network Centurylink runs in a while, but iirc, they use MCI to terminate into Canada. 503-802-0086 - Integra Telecom NOC 0204 - DMS-100 DISA dislatone 310-581-0005,0006 - GTE thingie? Picks up and plays fourth column DTMF.
  8. There's been a conference that's consistently been going on every day at 10 PM Eastern. If you're bored, drop by . 631-788-0001, xt. BINREv
  9. It reminded me of the guy who used to be on the Atlanta airport train recordings up until quite recently, actually. It was fairly new, relatively speaking (~2000 or so?), but the voiceover guy tried to go for a oldschool, mid-20th century radio style of announcing. 206-973-5010 - Skeevy sounding psychic line 206-973-5025 - Login prompt for said skeevy sounding psychic line 402-376-0012 - Low speed modem (2400/- bps) AXE-10s seem to always have these weird, off-frequency tones just lying around. If you bothered to call the modems, you'll notice the ring is kinda off-frequency too: 402-376-0025 - Weird tone 402-376-0026 - Other weird tone 402-376-0000 - I can never figure out what this is; all Qwest AXE-10s have them. Notice there's a burst of ring that's more than likely not coming from the AXE-10. Not sure about that reorder. Maybe it's waiting for digits in that whitespace? 402-376-0065 - Coin deposit recording with a *lot* of reverb. I dunno why, but this made me laugh. 402-376-0085 - Modem
  10. So not too long ago, Ramsaso brought to my attention that Nokia/Alcatel-Lucent didn't EoL the 1AESS because they didn't want to support it anymore, but because AT&T cancelled their maintenance contract. Since they were the last 1A support customer, they dismantled the last lab 1AESS in Naperville, Illinois. That got me thinking about a lot of things, but most importantly, if they had a 1AESS lab in Naperville, what else do they have there? The answer? I have no idea, but they have two whole exchanges - 630-713 and 630-979 assigned to them. This might be one of those cases where having a thing that isn't a person dial numbers for you might actually be a good idea. Even for a group project, 20,000 numbers is a bit much. Especially here; if you look around, you'll discover it's, er, a little underwhelming for a place where there's switch labs. But given the potential reward for finding something fun here, I thought I might mention it anyway. Never know; sometimes if you just dial around for patterns like x000, x999 or whatever (though maybe not those specific ones here, sadly), you'll find stuff. Anyway, 630-979-4000 is probably the most useful number of the bunch - this doohickey is the custom voicemail platform someone came up with. It sounds like an engineer farted it out in a day or two, but it has a working name directory if nothing else. The system has a weird way of arranging phone numbers. For example, 630-713-1744 maps out to 2-873-1744 internally. 630-979-9599, likewise, is 2-879-9599.
  11. If I remember right, this was taken at Defcon around the turn of the decade or so. Someone was playing it on the bridge, so I don't have a solid reference for where it's from. Keep in mind even that can be a problem sometimes: 304-720-9915, 863-297-9998, 707-262-0086.
  12. So today, I was thinking about a few people I'd talked to recently - they told me they were into the idea of scanning, but because of their lack of free time/direction, it was hard to find space in their lives for this sort of thing. So I was thinking; should I build a thing with my Dialogic box that automatically dials ranges that look potentially fun, and let people review the recordings/manually make a description of what's actually on the line? There could be a rough level of signal detection using the DSP; enough to let you search by what you'd like to see most; whether it be recordings, VMBs, modems or dialtones or whatever, and let you select by region or operating company. Maybe some more powerful signal detection could be tacked on at a later point that could recognize certain manufacturers or switch types. This would be a pretty significant undertaking, so I'd like to know if anybody is interested before I actually do this. If you don't actively scan and would like to, would this help turn the tide for you a little?
  13. I'd consider options other than waiting for a call for assistance for the moment. Sorry. For a lot of reasons, including being in northern Calfornia for those wildfires last week (evacuating tends not to be fun. Not so much because of the impending doom, but because of the obligatory people driving like absolute retards you see in disasters, and having to take a long car trip when you're least in the mood for one), I've had an unusual amount of things to deal with recently. If you want to hop on the bridge one night though, that might be a good way to look into this.
  14. The N4Es specifically have media gateways, so they could just use existing TDM trunks. I don't know what they're run over, but with things that are very clearly running over IP like the 4E-APS redesigns (notice in areas like Los Angeles and New York, the 800-223-1104 ANAC has a different voice. They don't seem to be actively adding these at the moment), I just sorta assume they're at least reachable on the public internet. Occasionally they'll have the sort of staggering packet loss that would imply a bunch of people trying to attack it or something.
  15. The problem with WarVox and a lot of those other programs is it follows the mentality of people who equate this sort of dialing with a relatively menial practice, like nmapping but for phone calls (which to be fair, isn't to say that's not the case in some places. Learning to anticipate when you're going to be left with two wasted hours and a couple milliwatts is an important part of this), and are relatively inexperienced with phone networks to boot. For example, there's a video somewhere of the Warvox developer in particular getting a dialtone from some sketchy route his voip provider used, and mistaking it for something actually coming from what he was trying to call. Anyway, when you get rid of the tediousness of disconnected numbers and subscribers, it's a really enjoyable practice that helps you learn way more about the network than anything else; sort of like a huge improv exercise. Techniques like identifying switches based on the ringback sample they use never would've become a thing if there weren't people practicing hand scanning. There's also a fair number of things that automated analysis will very frequently miss. So the idea behind all this is to keep a level of automated detection for the purposes of indexing; so people know where to look and if they're in a mood for a particular sort of thing, finding them a range that has a lot of it. But also, ultimately, letting a caller be the ultimate judge of what's on the other end, and giving them maximum exposure to the network. So essentially to take the monotony out, keep all the good parts, and organize it in a way that works with a minimal amount of free time. Or to put it simply, I'm kinda tired of half the some numbers posts being mine .
  16. For anybody else interested in ASA, here's a copy: http://www87.zippyshare.com/v/5KLQq8cL/file.html https://openload.co/f/Vmg1F004bdM/siteadmin.zip I think the command to grab the translations from the Definity to a computer is 'upload translations'. I'm honestly a little confused; I've never seen it barf out something blank like that before. If you could try again, that'd be great; there's a checksum for like every block in the xmodem protocol, so there's no chance of it uploading something it shouldn't. Well, not without Hyperterminal (or the Definity) raising a huge stink anyway. No worries! It might be a while before I can get a normal machine to run this with (the machine that currently runs my Dialogic code gets pretty frequent use right now, and being headless, it's hardly a normal install case) though, so let me know if you want me to just help you remotely for now. I know enough by memory to get it working for that and improvise the rest. For starts, you'll need a Dialogic card. This is the particular model I have. It's cheap and works with normal POTS stations. Occasionally you'll see them go for a little cheaper on eBay, but this is pretty good: http://www.ebay.com/itm/D41JCTLSW-Dialogic-4-Port-Analog-Loop-Start-PCI-SP-Voice-Interface-Card-/272816283916?epid=1656832384&hash=item3f851e210c:g:K98AAOSw4DJYf22m . It's about a foot long, so finding a machine it physically fits in (most off the shelf ATX machines will do) is going to be your biggest bottleneck. Any Pentium 3 (or later 2)-era thrift store/yard sale/dumpster machine with 256 or so MB RAM will run the software perfectly fine. After booting the install CD, keep in mind it'll overwrite your hard disk without asking too. Once it boots, you may need to set the root password and start up an SSH server (beware that leaving any system running a Linux distro this old on the public internet is an extreme liability. Since it was convenient, I was using a dial-up modem to run mine for a while) before installing the Audix software packages. If you need any help with that, just let me know. That's right; the formatting stuff the Definity spits out with the dump isn't part of what's in RAM. But by pasting all that in a hex editor, you're converting ASCII to hex data, though. The RAM location with the passwords changes with each build. My way of figuring out where is to just search for the string 'inads' until I find what looks like passwords. From the TCM shell (which I *think* exists in release 6. At least, there's a TCM process. I don't think you can type 'go tcm' until 7 or 8 though), you can get a fairly solid example from the Definity itself of what the location with passwords looks like: That's a good question - I don't think the keys are necessarily in the RAM, but the program that validates them definitely is. I honestly don't have any idea how to do it. EDIT: Here's some cheaper Dialogic cards. Like I said, they go for peanuts: http://www.ebay.com/itm/Dialogic-D-41JCT-LS-4-port-Combined-Media-Board-Voice-Interface-Card-/263201498830?epid=86074960&hash=item3d480826ce:g:AZoAAOSwZr9ZtxdD http://www.ebay.com/itm/DIALOGIC-4-PORT-ANALOG-VOICE-FAX-COMBINED-MEDIA-BOARD-D-41JCT-LS-/162099670042?epid=86074960&hash=item25bde4ac1a:g:PVIAAOSwbwlXCsoz http://www.ebay.com/itm/Dialogic-D-41JCT-LS-Combined-Media-Board-Voice-Interface-Card-/332385891932?epid=86074960&hash=item4d63be365c:g:sm4AAOSwo4pYCRGh It's a little strange; these go for like, $5,000 brand new, and some of them weren't even opened. From the auction descriptions, it sounds like some people are mistaking these for dial-up modems. If you're willing to go through the trouble to develop software for them, it's a ridiculously good deal. There's also another card you can occasionally find that's smaller and should be runnable using the same API. I haven't tested it, but if anybody wants to give it a try, here's one: http://www.ebay.com/itm/DIALOGIC-D-4PCIU-D4PCIUFW-44-0053-02-4-PORT-VOICE-FAS-MEDIA-PCI-E-CARD-/272741298914?epid=80086610&hash=item3f80a5f2e2:g:bPQAAOSwnK9ZVTr0
  17. No dice . Maybe! I wonder if a slow sweep tone or something would be in order. The pause/repeat thing sounds like it may be your long distance carrier changing routes. If you're okay with casual dialing (should be safe; I'd be sure, but I don't think it supes), try seeing if AT&T or MCI do the same. I'd be really disappointed if it was the case, but I was thinking this might just be the Nortel announcement card making that tone; they sometimes end calls with that same (or at least a similar) cause code. 706-219-0002 - Windstream NOC 434-223-6399 - Newer Otis elevator at university, on Meridian. 7200 is a Siemens elevator. 706-865 1112 - Ringout bridge 1113 - rec, "The number you have dialed is a party on your own line. Please hang up and allow the phone to ring several times before lifting the handset to talk." 1117 - Ringout 1118 - Ringout to Meatwitch VMB, Windstream Cleveland CO 1119 - Business 1120 - Ringout to Meatwitch VMB (CNAM: WINDSTREAM) 1121 - Loud, 20 hertz ringing x1 + hang up 1122 - Mitel PBX ringout to Express Messenger VMB, answers with **93604 1123 - Ringout 1124 - Ringout 1125 - Ringout 1126 - Ringout 1127 - Ringout 1128 - Ringout 1129 - Ringout 1130 - Modem 1131 - Ringout 1133 - Ringout 1134 - Ringout 1135 - Ringout 1136 - Ringout 1137 - Ringout to Meatwitch VMS 1138 - Ringout to Meatwitch VMS 1139 - Ringout 1140 - Ringout 1141 - Rings x1, hangs up quickly 1142 - Ringout 1143 - Ringout 1144 - Ringout 1145 - Ringout 1146 - Ringout 1147 - Modem 1148 - Modem 1149 - Ringout 1150 - Ringout 1151 - Ringout 1152 - Ringout 1153 - Ringout 1154 - Ringout 1155 - Ringout 1156 - Modem 1157 - Ringout 1158 - Ringout 1159 - Ringout 1160 - Ringout 1161 - Modem 1162 - Ringout 1163 - Ringout 1164 - Ringout to Meatwitch VMB 1166 - Ringout to Meatwitch VMB 1170 - Ringout 1171 - Ringout to Meatwitch VMB 1180 - Meatwitch VMB 1183 - Meatwitch VMB 1184 - Meatwitch VMB 1186 - Meatwitch VMB 1187 - Ringout 1190 - Really old AIS. Cognitronics? NIS report. 1191 - Same as 1190 1192 - Same as 1190 1193 - Same as 1190 1194 - Same as 1190 1195 - Same as 1190 1196 - Ringout 1197 - Ringout 1198 - Same as 1190
  18. I'll post it here. This forum is for sharing information, not hording it. https://openload.co/f/1ZIT1mcLD3U/system-75_atttj.zip Long story short, there's an AT&T Technical Journal article on the System 75 - the Definity's ancestor my friend was nice enough to snap some pictures of at a university library. I won't mention them unless they specifically want me to, but it goes into a reasonable amount of depth about the Definity's hardware and software architecture. Part of what it details is the Definity's DCP protocol; the one used to communicate with the phones. It's an ISDN spinoff, long story short. Probably a variant of 5E custom. If you take a close look at the cards, you'll notice there's some Siemens PEB2075 (iirc) D-channel exchange controller ICs on them that all but confirm it's ISDN. A logic analyzer or an ISDN-specific protocol analyzer will take you a long way in figuring out the differences between this and an off the shelf basic rate interface. I don't see a lot of issues with Definity cards, but usually it's just some discrete components that flaked off because of heat or mishandling. I can't claim surface mount soldering is easy, but it's doable. Especially when it's just a few capacitors or resistors that were very clearly ripped off the PCB. Not especially, no. While I've heard a lot of things about the ICPs (am I the only person who goes out of their way to call them Insane Clown Posses? I feel like a dork for letting that crack me up), not a lot of them make me confident in their ability to behave under normal circumstances, let alone when someone takes their fans away. More to the point though, the Definity fans are off the shelf 120mm ones. You could take ten minutes to slap new ones on instead of literally endless years of soul crushing work. I had this conversation with Gewt at one point, and she suggested a pair of these: http://www.mouser.com/ProductDetail/Sanyo-Denki/9S1212L401/?qs=sGAEpiMZZMt9MS9kROxCwxJGgTye%2bJ04n%2bGQcnh6s2E%3d . While the noise level isn't currently a big issue for me (the Definity lives in my garage), the fans both use standard color codings for +5/+12 volts and ground. To be safe, maybe compare with a thermometer for about a half hour or so on both to make sure the new fans are doing what they should, but otherwise, you should have a quieter Definity in a lot less time for in all likelyhood a lot less money. With all due respect, you're not likely to find a lot of people supporting that belief in any sort of practice. As someone who doesn't have a serious knowledge of car engines, if I were to ask a team of mechanics to develop a custom replacement engine for me and informed them that I wouldn't be able to help them make it, even if they liked the engine, there's probably no team in the world that would take on such an effort for free. You could apply this same idea to construction, music composing, or like I said - any sort of practice that involves significant skill. This is getting out of the realm of this topic, but on a personal note, I've seen far, *far* less UCx systems out there than I do original Norstar or BCM systems in place. The economics make much more sense in that case too; lots of nationwide store chains have Norstar key systems. Definities are more of a one-off system for mid-sized businesses and offices. The only chain users I know of off the top of my head are Nordstrom and Motel 6. In the first case, they don't show any interest in getting rid of their Definities, and are installing Auras that can support DCP phones in all their new stores. In the second, aside from attendant consoles and maybe one or two staff phones, the phones are all vanilla analog sets. If you'd like to pick up a UCx though, you can probably get one for pretty cheap from one of the Toys 'R Us stores going out of business. That being said, please do keep in mind that this forum isn't a business, and none of us are getting paid to do this; this is all funded with money out of our pockets and with a substantial chunk of spare time out of our personal lives. When I started trying to learn out how unlock Definity processors - three years ago, I hadn't written a line of code, and had a generally much fuzzier understanding of how computers and even phone switches worked internally. Much like phreaking has continually helped me learn a lot of new skills and ideas, It's partly thanks to being able to stick with this undertaking that I was able to gain a much more solid understanding of computer software and time division multiplexing, and help make a lot of great things happen in the process, like bringing Definity service to Toorcamp and hopefully saving some PBXes from the scrap heap. As a general rule, most people who do this sort of thing are ready to help everyone else with that sort of understanding; it always leads to great things, but that readiness ends on huge projects the initiator shows no motivation to participate in. If you don't like this, well, we've already given you an ample amount of resources you'll find literally nowhere else on the internet to help you start, and some of them have been uploaded specifically for your benefit. You're welcome to expect a better response from all the other groups of people doing Definity reverse engineering.
  19. Slip in some vanilla vodka, and we're _definitely_ in business. I detailed a bit about this on the first page; basically, there's just a substitution cipher that's used to encode the password; so like, it'll change all As to Zs, Bs to Xes, etcetera. After it's done with that, it'll switch around the byte order. I only had first several written down (fifth is first when unscrambled, sixth is second, fourth is third, seventh is fifth, first is sixth, third is seventh, ninth is eighth, eleventh is ninth, eighth is tenth, tenth is eleventh), so figuring out how to get the rest was mostly a matter of figuring out what word they were trying to put in there. The Definity OS has no RAM protection, so once you figure out what address the password is stored at (which isn't hard; just ctrl+f for inads in the ramdump. You'll see two iterations of the obfuscated passwords next to their respective usernames. The first one is the current one, the next is the previous password you used; the idea being you aren't supposed to use it again), you can use the wva (write virtual address) command to overwrite the passwords if you want. On that note, the ramdump can be translated back into binary data by filtering out all the crap from the dump program. There's probably an elegant way to do this with awk or some other Linux tool. It's times like these I can be more sloppy than I care to admit; I'll just use Openoffice. After getting rid of all the things that obviously aren't data, like the command you typed and the error message at the end, you do some find and replace functions; one for '0x' and another (with regular expressions enabled) for '004.....:' . When you're done, nothing should exist except the data (minus the 0x portion) it was spitting out. Paste this into a hex editor - I prefer HxD, and save it. The answer to that is very likely yes. I'm mostly seeing a lot of blank bytes in that file, though. How're you uploading it? Yeah; you can just use mode codes (DTMF) instead of a C-LAN card. I *think* I talked about what RPMs to install at some point in this thread. Lemme know if I didn't/you'd like me to walk you through it. Nope. Release nine doesn't use any sort of key-based licensing, so while the R12 processor will accept the translations, it'll run in no license mode. In a word, it's no fun mode. The translations for the later systems also have a key that includes the processor's serial number. I dunno if/when there'll be any concrete success to work out, but for the moment, the processor I yanked off eBay had some encouraging things to say: If you play around (don't be shy; carrier grade telecom gear isn't exactly made of glass), you'll find the byte that tells the Definity to prompt you for ASG instead of a regular password. It should be about 112 bytes after the last character of a password, and will be a 0x01. There's like, six, so a minimal amount of trial and error will find it. When you get a copy of your translations file, change it to 00, and change another 00 in the file (most next to the first byte should be fine) to a 01 to satisfy the checksum and upload it. If you do this for, say, inads, you'll have permission to write to the system's RAM at will. You can change this for init, but the system will just ignore this. Sort of a moot point, since not much can be done in the way of activation without knowledge of the licensing. Yup, sorry. It's just been an interesting week. Long story short, my hands have been a little tied. Even on the worst of days, I'll find time to hit the conf, but sometimes my ability to respond to forum stuff gets onto the chopping block.
  20. I may have a copy that came as part of a backup of some super sketchy Russian FTP. When I get home, I'll look into that, among some other things, and finish writing up the aforementioned Definity unlocking stuff.
  21. If you feel like using putty, one thing I've had some particular success with in minicom are the VT220 function codes. It's been a while since I've had a Windows machine hooked directly up to the Definity, but I think this works roughly the same. In VT220 mode, the shift+Fx keys should be mapped to the Definity function keys. For example, shift+F5 is help, shift+F7 is confirm. Page up/down are mapped normally, and cancel works as delete. On some notebooks, sometimes the function keys will move around a bit, so you'll wind up with shift+f3 or something doing what you want. It takes some trial and error, but once you've got it down, it relieves a lot of terminal headaches.
  22. I'll update this post with some more info when I'm not getting ready for work, but for now, the password for your release 6 card is '0nvacat10n'. Nothing like a cute little Definity word scramble to start your day. I guess you just had a different build than the other release 6 I unlocked.
  23. Try booting the system without a card and logging in as inads. The command 'go debugger local' should be available from the command interface, though not listed. At the debug interface, type this: rd -f 2000000x pam 0x400000 . If you post the dump on here, I can filter the output to reflect the actual binary it's dumping pretty easily. If you want to just upload it, I can A) tell you the password, B ) tell you what ram address and commands you need to use to change it, or C) we can skip all this crap, and you can just try the password 'e5peranto'. If I remember right, that's the release 6 init password. A little less fun, but it gets you what you need.
  24. 617-534-0000 - Voicemail unavailable recording. 15A announcement machine (the kind the 5ESS uses) on a DMS-100? 617-248-9901 - Permanent signal announcement 617-248-9902 - Dial 1+NPA for toll calls rec 617-248-9970 - rec, "We're sorry, your call cannot be completed as dialed. You need additional digits to complete your call. This is a recording." 617-638-9905 - "This is an emergency telephone. Press 1 to talk..." 252-441-4392 - Norstar key system at Carolina Telephone Kill Devil Hills CO. Press * for options 207-442-9923 - Modem 207-442-9932 - 480 hertz tone!? Times out to ACB cause code 207-442-9936 - 620+480 hertz tone, times out to ACB cause code Those last two I'm really scratching my head on.
  25. Damn, you've been busy! Thanks for taking a look. The thing on 6091, for whatever it's worth, seems to accept some commands preceeded with a *. So for example, *1 will keep waiting; usually for a * to terminate whatever you're dialing. *3 seems to consistently wait for more digits after you press a terminating *. When it picks up, it spits out *9 and a bunch of zeroes. I think ten. Some of those modems on there are indeed, well, modems, but whatever this stupid PBX is will hear the 2100 hertz handshake tone and start trying to impose T.38 on the connection. Needless to say, it's as unnecessary as it is annoying; the connection to the outside is done over a PRI or some other T1-based thing. But yeah - sorry nobody responded to you; you definitely deserved one a lot sooner. If you feel like taking a look at the other exchange, it can't hurt, but I honestly don't have high hopes for fun stuff.