• Content count

  • Joined

  • Last visited

  • Days Won


Everything posted by ThoughtPhreaker

  1. There's been a conference that's consistently been going on every day at 10 PM Eastern. If you're bored, drop by . 631-788-0001, xt. BINREv
  2. There's always been little slip-ups in the way AT&T restricts 800 numbers from 101-0288-0, for anyone old enough to remember that. But more recently, they've been doing some sort of weird call distributing technique; for example, if you're in one of these affected areas, they'll distribute calls to different OSPS switches throughout the country. Something about the trunk group you come in on instructs the network to allow 800 calls out from OSPS again from these areas. If you're around any of these areas, I've confirmed with some friends that it'll work: Washington, DC San Francisco, California Ontario, California Fresno, California Muskegon, Michigan Oberlin, Ohio Cincinatti, Ohio Lincoln, Nebraska Orlando, Florida Tampa, Florida Manchester, New Hampshire Denver, Colorado Dickinson, Texas Des Moines, Iowa Springfield, Massacheusetts Chicago, Illinois Rolla, Missouri Kansas City, Missouri Fargo, North Dakota As always, toll-free calls through the Honolulu and San Juan OSPSes will go through like they always have. There's also a few interesting scenarios, like tiny LECs with direct trunks to OSPS, where toll-free traffic has always gone through.
  3. So earlier today, I happened to call a CVS Pharmacy, and out of sheer boredom, started hitting options that weren't listed on the IVR. As luck would have it, 8+xxx will transfer you to a three-digit extension in the store! The few constants I've noticed from a quick, cursory glance are 4xx go to IVR extensions, 500 prompts you to log in - presumably to voicemail, and the lower extensions seem to be for in-store stuff. 100 pretty consistently goes to a fax. If you happen to have a "friendly" neighborhood CVS near you, be sure to give them a "friendly" phreak welcome .
  4. The ability to use OSPS seems to be on a switch-by-switch basis. I'm not quite sure what the pattern is, but if you want to scope this out, I encourage you to check every office you can locally.
  5. I've had a few people report that in some areas where this doesn't work yet you home off of a 5ESS toll tandem (and can dial 101-0288# and get a dialtone from it), sometimes dialing 101-0288# and then 0 at the dialtone will work. I'm beginning to think this has less to do with the office you're coming out of, and more to do with something in the SS7 initial address message. EDIT: I'll try to confirm, but this exception may not apply to payphones.
  6. Great to see some new faces! Especially in this thread. 0051 is a DATU. 0037 is a 105-type test as I think it's officially called. I think the idea is they do trunk testing. In any case, press 2, #, etc to make it produce tones and noise. 0 commonly hangs up on those things. 407-238-6209,6238 - Elevators on hotel PBX (Nortel Meridian) 407-238-6214 - Modem on hotel PBX: CONNECT CentOS release 6.5 (Final) Kernel 2.6.32-431.29.2.el6.x86_64 on an x86_64 XetaCAS_22832_MarriottRoyalPalms login: 843-414-0052 - rec, "We're sorry, your telephone is temporarily out of order. There may be a receiver off the hook. Please check your main telephone and extensions. Charleston, South Carolina. 843-1. CHTN." 502-753-0021 - 17A announcement machine 502-753-0059 - IVR, "Please enter your home phone number" 504-648-0010 - 17A announcement machine
  7. MtnHell and I talked about this a while back. It appears the switch is sending a battery drop and putting him back on his own dialtone. I've only seen a 5ESS reset like that a few times before in...ever. Usually only with very specific circumstances, like someone releasing a coin trunk, or CAC-0-710+ call attempts.
  8. For whatever it's worth, when I worked in broadcasting, most radio stations I saw used Telos NX12 or Vx hybrids. I would try to familiarize yourself with those (sometimes they have promotional videos with a DJ inside the booth - that'd be a good place to look for either) and see if you can match the sounds up with them. For whatever it's worth, in addition to the echo cancellation as Jman mentioned, there's also an option for other processing on most modern hybrids, like multi-band compression and automatic gain control.
  9. A friend of mine brought back Scanaday:
  10. Sure enough, 101-9017-1-405-959-0000 from a switch in Oklahoma City gets you some sort of weird test number from the tandem switch. Other stuff probably isn't far behind.
  11. :I thought it'd be a good idea to keep a thread open for small, marginally interesting tricks that can be applied in the network. Especially since they can sometimes turn into larger things when they're explored. So, well, I'll start: In lots of ex-SBC areas, you can dial your home NPA + 700-4141 and get a recording from one of the local tandems (as in, a non-toll switch that handles calls between you and an exchange down the road or to a toll carrier) thanking you for choosing SBC as your intra-LATA toll carrier. Sometimes the switch blocks it or redirects it to your toll carrier, so you might have to use 101-0110 or 101-9017 to circumvent this. Also, HPNA-958/959-xxxx will try to complete from the operator IVR on these same switches, but seems to get a cause code or something back quite quickly. I dunno what this is supposed to reach or if some areas treat it differently than others, but usually you get a recording from the TOPS tandem when you hit something invalid.
  12. There's several numbers nearby, like 752-8055, that go to an ANAC.
  13. It's a very low hanging fruit in terms of exploits; any random script kiddie bot that happens upon it is going to have a hell of a good day. Given how frequently ISP modems are compromised now (for example, one of the Actiontecs where a remote administration interface is permanently stuck on 4567 or 7654 or whatever; I've seen people with these get free, grimly successful security audits) and how little of a say users are able to have in securing them, if you have a minimal, "the ISP just gave me this modem so I hook stuff up to it" configuration, I wouldn't put Audix anywhere near the internet. If you don't want to use a dial-up modem to administer it, you could always use a KVM or something; I'd recommend this more than an isolated ethernet network simply because Audix is designed to use an old version of Netscape to access the web UI from itself. The system runs very old SSL certificates, wants you to execute very old Java applications, and wants you to use a very outdated SSH session to administer it. Security aside, you're going to have trouble finding browsers that want to deal with that. And then you'll have to configure Java to actually execute the administration program it feeds you, unless you can figure out what it's supposed to be running. If I remember right, the Avaya Java SSH thing runs 'exec Fc' after it logs in to access the administration program. Given both the obscurity and how the C-LAN card runs a functionally independent OS (an old build of VxWorks) from the switch, the Definity shouldn't be any trouble so long as you're okay with telnet. I'd still recommend using a modern Linux system with SSH and running the system with minicom. Or a dial-up modem, just because I'm that sort of person. I've detailed in this thread how the VT220 mode can be used with an off the shelf terminal. There are however, undocumented TCP ports open on the card. I doubt your average automated Chinese script kiddie scanner is going to pose a threat to it, but use your own best judgement on that. You're in the wrong place if you think some horrendously bootleg mismatch of hardware running Audix is some sort of hallowed Avaya prayer ground. Or certainly if you don't want to get creative and dirty up your install. Encouraging anyone not to touch it goes completely against everything the hacking spirit stands for, and certainly the spirit of the effort on this thread to turn paperweights into powerful systems again. That being said, if you're going to stick your head in the sand to the tune of a 16-year old Linux kernel, proprietary or otherwise, any very cursory nmap scan will give a very good idea of it's age to someone else. Perhaps you weren't paying attention when it was shown that the license file on these cards is encrypted using DES. With keys that're clearly sitting in the header files that we have no less. Or that the system has absolutely no RAM protection, allows you to read and write to any address you please freely as a higher level user, that we have init access on these releases, and that we know the RAM addresses where the ASG keys sit on the switch. It's certainly an annoyance, I'll grant you. Nobody has approached me offering to help sstep the pam process on the Definity while the license file is being read, and for that reason, my motivation on more computer-oriented projects has been more to wrangle up Dialogic cards into doing sketchy things like scanning. Someday it'll make me really happy to unlock my release 11 Definity card, and certainly help everyone else do the same. For the moment though, most functionality on it works fine, and until I see more initiative to collaborate on this, I don't especially feel like trudging through pages of MIPS instructions. What sort of hardware architecture the system runs on is inconsequential to the licensing routine. You've been repeating lines like this without providing any source or supporting evidence other than friends at Avaya, who're imaginary for all we know. Either you're some sort of Definity troll, or don't know what you're talking about.
  14. Like everyone says every time we do one of these, it's been a while! Show us your tastes in shameless materialism! $30 PCIE quad T1/E1 Dialogic DM3 card These are really nice cards for a number of reasons. The one holdback is you really need to know C to make them worth your while. If you have anything that speaks T1 and can stomach a bit of programming though, they are very much worth it. I'm running a similar model that routinely gets at least a couple hours of use every day. Cisco IAD2431-1T1E1 router. You can't beat a Meridian or Definity for home use - there's no getting around that, but these are surprisingly flexible for a home network if you can tolerate the Cisco CLI, have a channel bank to use some analog lines with, and don't have enough room for a larger PBX like the aforementioned ones (and don't want to write a switch program to work with the card I just linked; they have GR-303 stacks). These particular models do TDM hairpinning as well, so the call is end to end circuit switched when there's no DSP involvement. There's really cheap VIC modules for FXO, ISDN BRI (though it won't do data calls), FXS (I'd recommend the channel bank though; I like it better than the Cisco analog stuff), etc lying around as well to make it interface with whatever you have. Just beware; it does have IVR capabilities, but they kinda suck. Adit 600 channel bank. Cheap as they come, and as good as they get for home POTS stuff. They also do weird things like ISDN BRI if you can find the cards for them. 8434DX phone for the Definity. The VFD tends to be indescribably awesome on these, and on the later phones (post-1997 or so; look for any without the AT&T logo), have off the shelf Noritake VFDs you can get for cheap to swap them with. Especially nice if you get stuck with a set that has a worn VFD. Telos Zephyr; ISDN MP2/MP3 audio transceiver. These are buckets of fun if you have access to one; most radio stations and recording studios have compatible models you can connect to and get really nice sounding feeds of their mixing consoles from. Also, . The newer Xstream models tend to answer automatically for normal phone calls and patch you into their audio input instead of deny them as these do. Tascam DR-07; these are flash based field recorders. I've been using one for about eight years, and can attest to them being a great way to record your, er, mishaps on the PSTN, among other things. Also, they tend to not break. Nortel ISDN BRI phone.
  15. That's my site, yeah. The server PSU died about a year ago, and I couldn't be bothered with fixing it for a number of reasons. Here's the files you're looking for:
  16. I found something kinda funny yet possibly intentional and thought you guys might appreciate it. So assuming it's after hours or the weekend where you are, give a Morgan Stanley office a call. Pretty much any of them will work. If you don't have one, here: 800-488-0181. Pretty much all of them have toll-frees if you look at the branch's website - . Anyway, when the IVR picks up, press 2 and it'll ask you for an "eleven digit extension". Give it a toll-free, and it'll connect you. While it will pass ANI, it does accept calls from payphones and will hide class of service digits. Interesting, it does add an RDNIS field to the call to indicate it was forwarded. Try calling 800-330-8829 from it to get the number it's claiming to forward from.
  17. 800-940-0538 - "Welcome to Medscribe. Please enter your ID number, followed by the pound sign." 800-940-0588 - IVR, "Welcome to the Groupcast message distribution center. Please enter your pin followed by the pound sign" 805-544-0015 - University elevator? Try pressing buttons. 800-829-0314 - 711 number 512-328-5987 - Thingie on analog line w/WEIRD sounding tones 800-829-0129 - Weird Allstate test IVR, wants working DNIS to do anything interesting
  18. Sorry I've been so hard to get ahold of! It's been a busy month (though in about a week, that'll change). I've still been scanning and confing and stuff - and occasionally helping Technotite with the Eastern European switches, but I've been farming a lot of the former out to my computers. If nothing else, I've found a way to make scanning way more efficient without having to deal with automatic signal processing. EDIT: This isn't C5, but I found it interesting and still relevant to the thread. 18677709599.wav Sorry about the automatic gain control. If you're curious what it was outpulsing, it's KP+867-920-3660+(KP2)<pause>KP+0-770-9599-ST. Try pressing 0 when the queue system bumps you to voicemail; you'll wind up at the main auto-attendant, and given the run of the PBX. Also, that PBX appears to have a hundred block dedicated to it.
  19. This guy, er, doesn't seem very receptive to new things. That being said, in all fairness, how contemporary an audio codec is is extremely relative. AAC is certainly one of the more used ones out there, and it was introduced a year before the Cook codec this guy is using. It still doesn't change the relatively low sample rate or that it buffers like it's 1998 (niche product or not, who pays for an effectively broken stream exactly?) or, well, that Real Player is still Real Player. That whole "I have a black box and nobody is allowed to touch it" model reminds me a lot of the other crap that faded into obscurity, like QSound, Q-Zar and HD Radio. I always thought the huge resistance to anybody seeing how it worked was hilarious.
  20. So a friend just sent a video to me which kinda made my head explode a little; . Anybody else wondering what's going on in this picture? Or all 23 or whatever per second? Something tells me this isn't a Millennium hooked into the Quortech hivemind.
  21. Whenever it's ready, I can provide a phone line and modem for this; just say the word. This might actually be a good test case for the Tracfone forwards.
  22. That would make sense, yeah. For whatever it's worth, the Qwest 5ESS you're calling passes the not in service message back over an out of band channel. Some routes might just be responding to that their own way. I tried checking a few cheap carriers, but didn't have any luck. For whatever it's worth, I think Google Voice uses or Level 3 for outbound stuff.
  23. So some years ago, someone pointed out to me that Tracfone billing is done on the actual phone itself; not the network. So with that in mind, I gave something a try, had some decent luck with it, and figured I'd pass it on. At least on phones using AT&T's UMTS network (though I assume this applies to the CDMA phones too), general call forwarding is blocked as it should be, but call forward unavailable/busy/no answer has to be active for voicemail to properly work. So sure enough, using standard GSM call forward codes, you can send those calls elsewhere, and it won't deduct any minutes on the account. At this point, you can ditch the phone in a suitably shady manner, like sliding it under a vending machine at the airport. One caveat with this is that the AT&T mobile network's toll trunks _suck_ (you may have better luck with some of the other carriers. I'd try Verizon if it's convenient/CDMA turns out to work). Compared to just straight 1+, these trunks are ridden with discomfort noise and latency. If you're willing to deal with this, at the very least, it will not be transcoded like normal cell calls are. I don't know for sure, but both of these may very well be avoidable anyway if you choose to forward to a number local to, or otherwise within range of direct trunks to the mobile switching center you're assigned a number on. Keep that in mind when you give Tracfone your zip code.
  24. Their toll network is purely DMS-250s and 300s, yeah. Their hardon for Nortel is pretty pronounced, though; a lot of the ex-Sprint Local territories are almost entirely Nortel switches. Their mobile network is a bit of a different story, though.
  25. I'll look into bringing up the Audix instance again this week and testing this. I don't seem to remember this being a serious problem though, for whatever it's worth. I could give you a valid R11 translations file, but the problem with that is it has a license file on it that's been paired with the processor's serial number. I can still get it if you want it, but I don't think it'll do you much good until more effort is done to reverse engineer it.