ThoughtPhreaker

Members
  • Content count

    1,699
  • Joined

  • Last visited

  • Days Won

    102

Everything posted by ThoughtPhreaker

  1. So not too long ago, Ramsaso brought to my attention that Nokia/Alcatel-Lucent didn't EoL the 1AESS because they didn't want to support it anymore, but because AT&T cancelled their maintenance contract. Since they were the last 1A support customer, they dismantled the last lab 1AESS in Naperville, Illinois. That got me thinking about a lot of things, but most importantly, if they had a 1AESS lab in Naperville, what else do they have there? The answer? I have no idea, but they have two whole exchanges - 630-713 and 630-979 assigned to them. This might be one of those cases where having a thing that isn't a person dial numbers for you might actually be a good idea. Even for a group project, 20,000 numbers is a bit much. Especially here; if you look around, you'll discover it's, er, a little underwhelming for a place where there's switch labs. But given the potential reward for finding something fun here, I thought I might mention it anyway. Never know; sometimes if you just dial around for patterns like x000, x999 or whatever (though maybe not those specific ones here, sadly), you'll find stuff. Anyway, 630-979-4000 is probably the most useful number of the bunch - this doohickey is the custom voicemail platform someone came up with. It sounds like an engineer farted it out in a day or two, but it has a working name directory if nothing else. The system has a weird way of arranging phone numbers. For example, 630-713-1744 maps out to 2-873-1744 internally. 630-979-9599, likewise, is 2-879-9599.
  2. So today, I was thinking about a few people I'd talked to recently - they told me they were into the idea of scanning, but because of their lack of free time/direction, it was hard to find space in their lives for this sort of thing. So I was thinking; should I build a thing with my Dialogic box that automatically dials ranges that look potentially fun, and let people review the recordings/manually make a description of what's actually on the line? There could be a rough level of signal detection using the DSP; enough to let you search by what you'd like to see most; whether it be recordings, VMBs, modems or dialtones or whatever, and let you select by region or operating company. Maybe some more powerful signal detection could be tacked on at a later point that could recognize certain manufacturers or switch types. This would be a pretty significant undertaking, so I'd like to know if anybody is interested before I actually do this. If you don't actively scan and would like to, would this help turn the tide for you a little?
  3. For anybody else interested in ASA, here's a copy: http://www87.zippyshare.com/v/5KLQq8cL/file.html https://openload.co/f/Vmg1F004bdM/siteadmin.zip I think the command to grab the translations from the Definity to a computer is 'upload translations'. I'm honestly a little confused; I've never seen it barf out something blank like that before. If you could try again, that'd be great; there's a checksum for like every block in the xmodem protocol, so there's no chance of it uploading something it shouldn't. Well, not without Hyperterminal (or the Definity) raising a huge stink anyway. No worries! It might be a while before I can get a normal machine to run this with (the machine that currently runs my Dialogic code gets pretty frequent use right now, and being headless, it's hardly a normal install case) though, so let me know if you want me to just help you remotely for now. I know enough by memory to get it working for that and improvise the rest. For starts, you'll need a Dialogic card. This is the particular model I have. It's cheap and works with normal POTS stations. Occasionally you'll see them go for a little cheaper on eBay, but this is pretty good: http://www.ebay.com/itm/D41JCTLSW-Dialogic-4-Port-Analog-Loop-Start-PCI-SP-Voice-Interface-Card-/272816283916?epid=1656832384&hash=item3f851e210c:g:K98AAOSw4DJYf22m . It's about a foot long, so finding a machine it physically fits in (most off the shelf ATX machines will do) is going to be your biggest bottleneck. Any Pentium 3 (or later 2)-era thrift store/yard sale/dumpster machine with 256 or so MB RAM will run the software perfectly fine. After booting the install CD, keep in mind it'll overwrite your hard disk without asking too. Once it boots, you may need to set the root password and start up an SSH server (beware that leaving any system running a Linux distro this old on the public internet is an extreme liability. Since it was convenient, I was using a dial-up modem to run mine for a while) before installing the Audix software packages. If you need any help with that, just let me know. That's right; the formatting stuff the Definity spits out with the dump isn't part of what's in RAM. But by pasting all that in a hex editor, you're converting ASCII to hex data, though. The RAM location with the passwords changes with each build. My way of figuring out where is to just search for the string 'inads' until I find what looks like passwords. From the TCM shell (which I *think* exists in release 6. At least, there's a TCM process. I don't think you can type 'go tcm' until 7 or 8 though), you can get a fairly solid example from the Definity itself of what the location with passwords looks like: That's a good question - I don't think the keys are necessarily in the RAM, but the program that validates them definitely is. I honestly don't have any idea how to do it. EDIT: Here's some cheaper Dialogic cards. Like I said, they go for peanuts: http://www.ebay.com/itm/Dialogic-D-41JCT-LS-4-port-Combined-Media-Board-Voice-Interface-Card-/263201498830?epid=86074960&hash=item3d480826ce:g:AZoAAOSwZr9ZtxdD http://www.ebay.com/itm/DIALOGIC-4-PORT-ANALOG-VOICE-FAX-COMBINED-MEDIA-BOARD-D-41JCT-LS-/162099670042?epid=86074960&hash=item25bde4ac1a:g:PVIAAOSwbwlXCsoz http://www.ebay.com/itm/Dialogic-D-41JCT-LS-Combined-Media-Board-Voice-Interface-Card-/332385891932?epid=86074960&hash=item4d63be365c:g:sm4AAOSwo4pYCRGh It's a little strange; these go for like, $5,000 brand new, and some of them weren't even opened. From the auction descriptions, it sounds like some people are mistaking these for dial-up modems. If you're willing to go through the trouble to develop software for them, it's a ridiculously good deal. There's also another card you can occasionally find that's smaller and should be runnable using the same API. I haven't tested it, but if anybody wants to give it a try, here's one: http://www.ebay.com/itm/DIALOGIC-D-4PCIU-D4PCIUFW-44-0053-02-4-PORT-VOICE-FAS-MEDIA-PCI-E-CARD-/272741298914?epid=80086610&hash=item3f80a5f2e2:g:bPQAAOSwnK9ZVTr0
  4. No dice . Maybe! I wonder if a slow sweep tone or something would be in order. The pause/repeat thing sounds like it may be your long distance carrier changing routes. If you're okay with casual dialing (should be safe; I'd be sure, but I don't think it supes), try seeing if AT&T or MCI do the same. I'd be really disappointed if it was the case, but I was thinking this might just be the Nortel announcement card making that tone; they sometimes end calls with that same (or at least a similar) cause code. 706-219-0002 - Windstream NOC 434-223-6399 - Newer Otis elevator at university, on Meridian. 7200 is a Siemens elevator. 706-865 1112 - Ringout bridge 1113 - rec, "The number you have dialed is a party on your own line. Please hang up and allow the phone to ring several times before lifting the handset to talk." 1117 - Ringout 1118 - Ringout to Meatwitch VMB, Windstream Cleveland CO 1119 - Business 1120 - Ringout to Meatwitch VMB (CNAM: WINDSTREAM) 1121 - Loud, 20 hertz ringing x1 + hang up 1122 - Mitel PBX ringout to Express Messenger VMB, answers with **93604 1123 - Ringout 1124 - Ringout 1125 - Ringout 1126 - Ringout 1127 - Ringout 1128 - Ringout 1129 - Ringout 1130 - Modem 1131 - Ringout 1133 - Ringout 1134 - Ringout 1135 - Ringout 1136 - Ringout 1137 - Ringout to Meatwitch VMS 1138 - Ringout to Meatwitch VMS 1139 - Ringout 1140 - Ringout 1141 - Rings x1, hangs up quickly 1142 - Ringout 1143 - Ringout 1144 - Ringout 1145 - Ringout 1146 - Ringout 1147 - Modem 1148 - Modem 1149 - Ringout 1150 - Ringout 1151 - Ringout 1152 - Ringout 1153 - Ringout 1154 - Ringout 1155 - Ringout 1156 - Modem 1157 - Ringout 1158 - Ringout 1159 - Ringout 1160 - Ringout 1161 - Modem 1162 - Ringout 1163 - Ringout 1164 - Ringout to Meatwitch VMB 1166 - Ringout to Meatwitch VMB 1170 - Ringout 1171 - Ringout to Meatwitch VMB 1180 - Meatwitch VMB 1183 - Meatwitch VMB 1184 - Meatwitch VMB 1186 - Meatwitch VMB 1187 - Ringout 1190 - Really old AIS. Cognitronics? NIS report. 1191 - Same as 1190 1192 - Same as 1190 1193 - Same as 1190 1194 - Same as 1190 1195 - Same as 1190 1196 - Ringout 1197 - Ringout 1198 - Same as 1190
  5. I'll post it here. This forum is for sharing information, not hording it. https://openload.co/f/1ZIT1mcLD3U/system-75_atttj.zip Long story short, there's an AT&T Technical Journal article on the System 75 - the Definity's ancestor my friend was nice enough to snap some pictures of at a university library. I won't mention them unless they specifically want me to, but it goes into a reasonable amount of depth about the Definity's hardware and software architecture. Part of what it details is the Definity's DCP protocol; the one used to communicate with the phones. It's an ISDN spinoff, long story short. Probably a variant of 5E custom. If you take a close look at the cards, you'll notice there's some Siemens PEB2075 (iirc) D-channel exchange controller ICs on them that all but confirm it's ISDN. A logic analyzer or an ISDN-specific protocol analyzer will take you a long way in figuring out the differences between this and an off the shelf basic rate interface. I don't see a lot of issues with Definity cards, but usually it's just some discrete components that flaked off because of heat or mishandling. I can't claim surface mount soldering is easy, but it's doable. Especially when it's just a few capacitors or resistors that were very clearly ripped off the PCB. Not especially, no. While I've heard a lot of things about the ICPs (am I the only person who goes out of their way to call them Insane Clown Posses? I feel like a dork for letting that crack me up), not a lot of them make me confident in their ability to behave under normal circumstances, let alone when someone takes their fans away. More to the point though, the Definity fans are off the shelf 120mm ones. You could take ten minutes to slap new ones on instead of literally endless years of soul crushing work. I had this conversation with Gewt at one point, and she suggested a pair of these: http://www.mouser.com/ProductDetail/Sanyo-Denki/9S1212L401/?qs=sGAEpiMZZMt9MS9kROxCwxJGgTye%2bJ04n%2bGQcnh6s2E%3d . While the noise level isn't currently a big issue for me (the Definity lives in my garage), the fans both use standard color codings for +5/+12 volts and ground. To be safe, maybe compare with a thermometer for about a half hour or so on both to make sure the new fans are doing what they should, but otherwise, you should have a quieter Definity in a lot less time for in all likelyhood a lot less money. With all due respect, you're not likely to find a lot of people supporting that belief in any sort of practice. As someone who doesn't have a serious knowledge of car engines, if I were to ask a team of mechanics to develop a custom replacement engine for me and informed them that I wouldn't be able to help them make it, even if they liked the engine, there's probably no team in the world that would take on such an effort for free. You could apply this same idea to construction, music composing, or like I said - any sort of practice that involves significant skill. This is getting out of the realm of this topic, but on a personal note, I've seen far, *far* less UCx systems out there than I do original Norstar or BCM systems in place. The economics make much more sense in that case too; lots of nationwide store chains have Norstar key systems. Definities are more of a one-off system for mid-sized businesses and offices. The only chain users I know of off the top of my head are Nordstrom and Motel 6. In the first case, they don't show any interest in getting rid of their Definities, and are installing Auras that can support DCP phones in all their new stores. In the second, aside from attendant consoles and maybe one or two staff phones, the phones are all vanilla analog sets. If you'd like to pick up a UCx though, you can probably get one for pretty cheap from one of the Toys 'R Us stores going out of business. That being said, please do keep in mind that this forum isn't a business, and none of us are getting paid to do this; this is all funded with money out of our pockets and with a substantial chunk of spare time out of our personal lives. When I started trying to learn out how unlock Definity processors - three years ago, I hadn't written a line of code, and had a generally much fuzzier understanding of how computers and even phone switches worked internally. Much like phreaking has continually helped me learn a lot of new skills and ideas, It's partly thanks to being able to stick with this undertaking that I was able to gain a much more solid understanding of computer software and time division multiplexing, and help make a lot of great things happen in the process, like bringing Definity service to Toorcamp and hopefully saving some PBXes from the scrap heap. As a general rule, most people who do this sort of thing are ready to help everyone else with that sort of understanding; it always leads to great things, but that readiness ends on huge projects the initiator shows no motivation to participate in. If you don't like this, well, we've already given you an ample amount of resources you'll find literally nowhere else on the internet to help you start, and some of them have been uploaded specifically for your benefit. You're welcome to expect a better response from all the other groups of people doing Definity reverse engineering.
  6. Slip in some vanilla vodka, and we're _definitely_ in business. I detailed a bit about this on the first page; basically, there's just a substitution cipher that's used to encode the password; so like, it'll change all As to Zs, Bs to Xes, etcetera. After it's done with that, it'll switch around the byte order. I only had first several written down (fifth is first when unscrambled, sixth is second, fourth is third, seventh is fifth, first is sixth, third is seventh, ninth is eighth, eleventh is ninth, eighth is tenth, tenth is eleventh), so figuring out how to get the rest was mostly a matter of figuring out what word they were trying to put in there. The Definity OS has no RAM protection, so once you figure out what address the password is stored at (which isn't hard; just ctrl+f for inads in the ramdump. You'll see two iterations of the obfuscated passwords next to their respective usernames. The first one is the current one, the next is the previous password you used; the idea being you aren't supposed to use it again), you can use the wva (write virtual address) command to overwrite the passwords if you want. On that note, the ramdump can be translated back into binary data by filtering out all the crap from the dump program. There's probably an elegant way to do this with awk or some other Linux tool. It's times like these I can be more sloppy than I care to admit; I'll just use Openoffice. After getting rid of all the things that obviously aren't data, like the command you typed and the error message at the end, you do some find and replace functions; one for '0x' and another (with regular expressions enabled) for '004.....:' . When you're done, nothing should exist except the data (minus the 0x portion) it was spitting out. Paste this into a hex editor - I prefer HxD, and save it. The answer to that is very likely yes. I'm mostly seeing a lot of blank bytes in that file, though. How're you uploading it? Yeah; you can just use mode codes (DTMF) instead of a C-LAN card. I *think* I talked about what RPMs to install at some point in this thread. Lemme know if I didn't/you'd like me to walk you through it. Nope. Release nine doesn't use any sort of key-based licensing, so while the R12 processor will accept the translations, it'll run in no license mode. In a word, it's no fun mode. The translations for the later systems also have a key that includes the processor's serial number. I dunno if/when there'll be any concrete success to work out, but for the moment, the processor I yanked off eBay had some encouraging things to say: If you play around (don't be shy; carrier grade telecom gear isn't exactly made of glass), you'll find the byte that tells the Definity to prompt you for ASG instead of a regular password. It should be about 112 bytes after the last character of a password, and will be a 0x01. There's like, six, so a minimal amount of trial and error will find it. When you get a copy of your translations file, change it to 00, and change another 00 in the file (most next to the first byte should be fine) to a 01 to satisfy the checksum and upload it. If you do this for, say, inads, you'll have permission to write to the system's RAM at will. You can change this for init, but the system will just ignore this. Sort of a moot point, since not much can be done in the way of activation without knowledge of the licensing. Yup, sorry. It's just been an interesting week. Long story short, my hands have been a little tied. Even on the worst of days, I'll find time to hit the conf, but sometimes my ability to respond to forum stuff gets onto the chopping block.
  7. I may have a copy that came as part of a backup of some super sketchy Russian FTP. When I get home, I'll look into that, among some other things, and finish writing up the aforementioned Definity unlocking stuff.
  8. If you feel like using putty, one thing I've had some particular success with in minicom are the VT220 function codes. It's been a while since I've had a Windows machine hooked directly up to the Definity, but I think this works roughly the same. In VT220 mode, the shift+Fx keys should be mapped to the Definity function keys. For example, shift+F5 is help, shift+F7 is confirm. Page up/down are mapped normally, and cancel works as delete. On some notebooks, sometimes the function keys will move around a bit, so you'll wind up with shift+f3 or something doing what you want. It takes some trial and error, but once you've got it down, it relieves a lot of terminal headaches.
  9. I'll update this post with some more info when I'm not getting ready for work, but for now, the password for your release 6 card is '0nvacat10n'. Nothing like a cute little Definity word scramble to start your day. I guess you just had a different build than the other release 6 I unlocked.
  10. Try booting the system without a card and logging in as inads. The command 'go debugger local' should be available from the command interface, though not listed. At the debug interface, type this: rd -f 2000000x pam 0x400000 . If you post the dump on here, I can filter the output to reflect the actual binary it's dumping pretty easily. If you want to just upload it, I can A) tell you the password, B ) tell you what ram address and commands you need to use to change it, or C) we can skip all this crap, and you can just try the password 'e5peranto'. If I remember right, that's the release 6 init password. A little less fun, but it gets you what you need.
  11. 617-534-0000 - Voicemail unavailable recording. 15A announcement machine (the kind the 5ESS uses) on a DMS-100? 617-248-9901 - Permanent signal announcement 617-248-9902 - Dial 1+NPA for toll calls rec 617-248-9970 - rec, "We're sorry, your call cannot be completed as dialed. You need additional digits to complete your call. This is a recording." 617-638-9905 - "This is an emergency telephone. Press 1 to talk..." 252-441-4392 - Norstar key system at Carolina Telephone Kill Devil Hills CO. Press * for options 207-442-9923 - Modem 207-442-9932 - 480 hertz tone!? Times out to ACB cause code 207-442-9936 - 620+480 hertz tone, times out to ACB cause code Those last two I'm really scratching my head on.
  12. Damn, you've been busy! Thanks for taking a look. The thing on 6091, for whatever it's worth, seems to accept some commands preceeded with a *. So for example, *1 will keep waiting; usually for a * to terminate whatever you're dialing. *3 seems to consistently wait for more digits after you press a terminating *. When it picks up, it spits out *9 and a bunch of zeroes. I think ten. Some of those modems on there are indeed, well, modems, but whatever this stupid PBX is will hear the 2100 hertz handshake tone and start trying to impose T.38 on the connection. Needless to say, it's as unnecessary as it is annoying; the connection to the outside is done over a PRI or some other T1-based thing. But yeah - sorry nobody responded to you; you definitely deserved one a lot sooner. If you feel like taking a look at the other exchange, it can't hurt, but I honestly don't have high hopes for fun stuff.
  13. I can see about trying to get you documentation on the Avaya DCP signaling protocol if you want, but what you're talking about would take an extremely significant amount of reverse engineering and development to accomplish. Especially considering the phones themselves are essentially dumb terminals; everything that makes them unique is on the PBX. Given that Definity parts are cheap, easy to find and repair if necessary, and at least with older systems completely unlockable now, I think you'll find more motivation to extend the life of the existing systems around here. You'll probably find people to be twice as hesitant to embark on any sort of coding project if you don't like to contribute any code.
  14. Looks like you were right; the number is going to a Singtel not in service announcement now. I guess now is our golden opportunity to try and figure out what it's routing over. The carrier tromboning their way over to what's probably Singapore (actually, does Singtel have any end offices in Malaysia? The C5 circuits were always on specifically Malaysian conference numbers. For whatever it's worth, I tried routing to them explicitly over the Singtel direct service and it never gave me any C5 cheeps) will cycle through several routes before eventually giving up. I guess after Intercall and Genesys merged, the old Genesys stuff was considered redundant. It was always really hard to find conference numbers on this thing. I always chalked it up to non-Americans not feeling the impulse to share everything; US conferences are disproportionately easier to find than, say, Canadian or Mexican ones. But shut down plans probably make more sense.
  15. I don't think the older units use packetized transport internally. Not sure about the newer ones. It's like the Panasonic "pure IP" PBXes that have a H.100 bus xD . While I don't have very high regard for the Callmanager (and I understand it's regarded as quite cumbersome internally), I wouldn't personally write Cisco off so quickly. Internally, if nothing else, they seem to judge protocols by their performance, and don't give a huge amount of stock to industry thinking. For example, they have a fairly expansive internal ISDN network. The WebEx stuff as well all has TDM trunks to the PSTN too. That being said, I just wound up buying a used IAD2431 router at gewt's suggestion, and will probably using it to connect my Definity to my POTS line; the CO trunk card is leaving a few things to be desired. I guess I'll find out for certain soon what a Cisco TDM experience is really like. Getting back to the thread's original focus though, I have a friend who worked for a CLEC a few years ago. The CLEC was mulling the idea of starting a wireless network, and was weighing what to use as an MSC and base stations. They contacted Alcatel-Lucent about the idea of getting a 5ESS, and as it turns out, they wouldn't sell you any mobile gear without one! Though unfortunately, they also wanted some price into the seven figures for a 5E. Also, has anybody dialed on an analog line from a 5ESS-2000? From what I understand, they're mostly in newer installations; CLECs and such, but they redesigned the space division stage that uses relays to connect you to a line card. If I understand right, it sounds different from the more common 5ESS noises.
  16. So recently, Gewt pointed me to some strange wind measuring thingies that sit on phone lines: 505-243-8664 - Other Windtalker 408-776-0101 - Windtalker 505-891-1733 - Windtalker 888-700-9279 - Windtalker 209-826-9019 - Windtalker 907-694-3017 - Windtalker 650-877-3585 - Windtalker replacement? Uses DECTalk Here's the closest thing to a manual: http://www.litek.com/WT4MAN.htm 314-658-1205 - Thingie on a Definity in an AT&T Toll office. 121T/HIllsboro more specifically. It answers with three * tones, and will eventually flash if you just sit there. A modem comes on out of nowhere (which will prompt for a station number of some sort if you connect) eventually. If it hangs up on you, you'll get some hold music before it returns you back to the thing that sends three * tones.
  17. My understanding is the switch portion of the packet switch is called a call agent (typically -CA0 or whatever if you're looking at a CLLI). A media gateway is just something that takes analog or TDM trunks/lines or whatever and interfaces them with the call agent. Sorta like a huge ATA. What differentiates a packet switch from a circuit switch (as far as I know) is that a packet switch internally uses packetized transport, while a circuit switch uses a time slot interchange to connect traffic. Though this isn't always black and white; sometimes media gateways have time slot interchanges. I guess if you want to be all lawyerly about it, that's technically not part of the switch. Then there's the term softswitch. As far as equipment vendors are concerned, I honestly think that's just a bullshit marketing term. A softswitch, as they put it, is a switch that's based entirely in software. A lot of packet switches will consolidate some components from the design of a circuit switch into software, but they're sold as custom, proprietary blades; there's a snowball's chance in hell you're running CS-2000 or Metaswitch software on a vanilla PC. There are things like Freeswitch and Asterisk that are actually softswitches, but the line between what is and isn't called one has been blurred by marketing weasels.
  18. There's been a conference that's consistently been going on every day at 10 PM Eastern. If you're bored, drop by . 631-788-0001, xt. BINREv
  19. So after some consideration, I thought here would be a good place to post some info on some US West integration lab switches. There's no real potential for fraud given the circumstances, and plenty for good fun. These are, as the name would suggest, isolated almost entirely from the PSTN. 303-707-9122 and 9123 are the access numbers. 9122 is a DMS-100, the latter a 5ESS. So, well, where to start with these things? As you probably expect, the dialplan is sort of make it up as you go along. There's some common ground between the two, but the differences are quite easy to rack up. So, well, listing this stuff seems like as good a way as any to present it. By the way, the 5ESS has a more digit-by-digit translation style, so it can be easier to find stuff through, but it's harder to tell where a call is going. The DMS-100 makes a soft tick on inter-office calls and sounds louder on intra-office stuff. DMS-100 things: 1-800-555-1212 goes to a cryptic IVR asking you for a destination number Some CACs go to a Sonus stock recording (no doubt a lab Sonus), others just go to reorder 720-993 (lab DMS-10; -1000 is remote call forward dialtone) is available Some CLASS features like *67, *82 available. *69 works occasionally. The first time I tried it, it told me 720-995-3037 called, the second it just turned it's nose up. 303-444-4444 gets wrbly live rep of some kind 5ESS things: Some CLASS features like *60, *63, etc available. 011-anything rings out to a Qwest UM VMB Generic, blanket numbers that ring out to the Qwest UM VMB do it via some other switch; the DMS-100 does it on it's own Generic, blanket numbers going to the Qwest UM VMB do not allow you to enter another account number, unlike the DMS 303-444-4444 gets ACB recording 602-379-9999 rings out via 5ESS to some other UM VMB, allows entering in whatever account you want. You'll notice quite quickly that it doesn't have any UM VMBs in public service. 406-958-xxxx goes to Sonus Other stuff: 303-994-00xx go to Qwest update center (*78) IVR with weird context 720 and 303-99x, 98x seem to be where the most interesting stuff is. 720-995: 0399 - NIS via lab 5ESS 1000 - lab DMS-100 ringout? Via lab 5ESS, gets NIS 1001 - NIS via lab 5ESS 2999 - lab DMS-100 ringout 3000 - Qwest busy line doohickey 3001 - Ringout to Reorder 3002 - Same as 3001 3003 - Same as 3001 3004-3006 - Reorder 3007 - Same as 3001 3008 - Reorder 3009 - Ringout 3010 - Ringout 3011 - Busy signal via ? 3012 - NIS via lab 5ESS 3013 - NIS via lab 5ESS 3014 - NIS via lab 5ESS 3015 - NIS via lab 5ESS 3016 - NIS via lab 5ESS 3017 - Ringout 3018 - Ringout 3019 - Ringout 3020 - Ringout to Embarq Meatwitch VMB 3021 - Ringout 3022 - Ringout 3023 - Ringout 3024 - Ringout 3025 - Ringout 3026 - Ringout 3027 - Ringout 3028 - Ringout 3029 - Ringout 3030 - NIS via lab 5ESS 3031 - NIS via lab 5ESS 3032 - NIS via lab 5ESS 3033 - Ringout 3034 - Ringout to UM VMB 3035 - Ringout to Meatwitch VMB 3036 - Ringout to Meatwitch VMB 3037 - Ringout to Meatwitch VMB w/greeting 3038 - Ringout to Meatwitch VMS, cannot send message 3039 - Ringout to UM VMB 3040 - Ringout to Meatwitch VMB, lab VMB for 720-995-3040, 303-396-9346 3041 - Ringout to 5ESS NIS rec 3042 - Ringout to Meatwitch VMS 3043 - NIS via lab 5ESS 3044 - NIS via lab 5ESS 3045 - NIS via lab 5ESS 3046 - Ringout to NIS via lab 5ESS 3047 - Ringout to NIS via lab 5ESS 3048 - Ringout to NIS via lab 5ESS 3049 - Reorder via DMS 3050 - Ringout 3051 - Ringout 3052 - Ringout 3053-3099 - NIS via lab 5ESS 3100 - NIS via lab 5ESS 3999 - NIS via lab 5ESS 4000 - Busy via ? 4100 - Ringout to Meatwitch VMS 5000 - NIS via lab 5ESS Other 5ESS fake toll prefixes: 206-358-? 541-245-? 928-xxx-xxxx? 612-374-? 575-606-? As for calling these things, there's a few things that you should probably know. If you want to make multiple calls on the same call, press ##. The phone patch will beep twice. Press ** in reasonably rapid succession and it'll get you a new dialtone. Sometimes when you press * normally, it'll do this annoying thing where it doesn't pass the DTMF to the switch, but briefly increases the volume level. If you want to pass a * when it does this, wait for the volume level to return to normal before pressing * again. On regular calls, *# can be used to flash. Much like any other, the 5ESS will consider a flash on any sort of local intercept or reorder a request for new dialtone. Have fun! Post if you find anything cool . Or for that matter, if you have any questions. Most of these notes were made without a big audience in mind, so some of the terms (UM, for example is Unified Messaging. The Centurylink platform in ex-US West areas is an AT&T Labs Unified Messaging thingie if I understand correctly) aren't especially obvious.
  20. Nope. The C-LAN board I bought wound up being a dud (just a few surface mount resistors will probably fix it. Sadly, I'm not especially great at soldering), and under the pre-R9/10 releases, there's pretty limited incentive to have one of those cards anyway; remote management over a C-LAN card wasn't a thing until relatively late. With the weird CELP codec this instance of Audix records everything in, my interest in it is honestly sort of done for the moment. Especially since I can make a lot better use of the Dialogic card it uses with my own software.
  21. So I tried making a few calls to Saskatoon. Your mileage may vary with this. Try a couple different carriers if your first choice doesn't work. 306-958 9999 - rec, "You have reached HPR switch SKTNSK0105T, Saskatoon 5, Sasktel. This is a recording. 306-5T." 9998 - rec, "You have reached the Saskatchewan virtual node. SASKSKXN01T (possibly D?). Saskatoon 05." 9997 - rec, "The new area code for the number you are calling is 250. This call cannot be completed. Please hang up and redial using area code 250." 9996 - rec, "There is a problem in completing your call as dialed. Please check the number and dial again. Or call your operator for assistance. This is a recording. 306-5T." 9995 - Same as 9996 1105 - 105-type test 1111 - 102-type test 1113 - rec, "You have dialed a number to which long distance charges apply. Please dial one or zero and the area code before the number you are calling." 1114 - Silence? 1115 - Long silence to busy via SS7 1118 - Sasktel business communication center queue 909-382-0010 - Frontier 0 op forward 909-381-0001 - GTD-5 dialtone. For the life of me, I can't figure out what this thing is listening for; it waits forever, and gives a CBCAD to pretty much anything. 909-381-0004 - This is the standard GTD-5 permanent signal announcement for most of the west coast switches. If you haven't heard it before, it's worth a listen.
  22. Are you using inband or C-LAN integration? If I remember right, for inband, you'll want the to install the serial_inband.rpm package. For C-LAN, LANset.rpm ovltism.rpm . There's some other relevant packages I seem to remember being prerequisites as well; oehs.rpm, swinbase.rpm, SWINset.rpm, swmgmt.rpm .
  23. I'd give it a week or so; they still have the weird tromboning arrangement to hit the C5 trunks set up. If it was going to be gone for good, they would've gotten rid of that.
  24. Maybe. But so many numbers in there route without an SMS-800 database query. I think as far as 800 numbers are concerned, they just gave it some hacked up local translations. Notice how so many numbers only work on one of the two switches.
  25. So, couple things: Much like the US West switches in public service, 611 seems to wait for more digits. I have no idea what it does in or out of a lab environment, but on the lab DMS, it'll wait for three more digits (excluding 1/0; those go straight to reorder). On the 5ESS, it waits for seven. Also, on the DMS, 1-720 seems to go to different places than just 720; 720-993 for example terminates to the Sonus with a 1 first for some reason. Also, on exchanges in that area code that won't complete for some reason, it'll wait for four digits as well instead of the usual three. Hopefully, this'll wind up being a good way to teach translation logic on these two switches. There's a lot I want to figure out about how they anticipate digits.