Reaper45

Decoding a number from a file

23 posts in this topic

I'm trying to decode the DTMF tones of a number from a recording I just made. The problem is that there is too much noise from cars and the wind, and it doesn't seem that I will be able to remove it easily. I tried to reduce the noise with adobe audition, but I'm not very good with it. Do you guys want to give a try?

The recording is from a payphone in Spain. The payphone automatically dials it when a hack attempt to the setup menu is made (enter *23# and input an incorrect password 3 times). Although the micro goes out, the payphone does not turn off the speaker after that, so I was able to catch it.

Soon I'll write a good article on hacking Telefonica payphones :D

http://www.megaupload.com/es/?d=8ZPFGSB0

0

Share this post


Link to post
Share on other sites

I was about to help you, then I saw the link.

Megaupload? Fuck that, post it on the board here. Megaupload sucks. At least the board doesn't make me enter a shitty CAPTCHA, find the hidden "free" link, then wait a minute or two to click another "free" link while making me feel like some sort of lowlife.

0

Share this post


Link to post
Share on other sites

Although using Goertzel Algorithm can be okay, but I think FFT with some Windowing is essential to reduce the noise effect in this case.

The attached file may help you more, higher amplitude & sampled @ 4KHz, DTMFs don't need more than 2KHz sounds anyway.

1_modified.wav

0

Share this post


Link to post
Share on other sites
Although using Goertzel Algorithm can be okay, but I think FFT with some Windowing is essential to reduce the noise effect in this case.

The attached file may help you more, higher amplitude & sampled @ 4KHz, DTMFs don't need more than 2KHz sounds anyway.

Thanks. I had a go at it with Audacity. I was able to see eight digits, and make a guess at the last four. The column frequencies (high tones) were the only ones I really could hear or see, so I had to really guess at the low tones.

  1. Digit 1 - column 2
  2. Digit 2 - column 2
  3. Digit 3 - column 1
  4. Digit 4 - column 1
  5. Digit 5 - column 1 row 3 (7)
  6. Digit 6 - column 2 row 2 (5)
  7. Digit 7 - column 2 row 1 (2)
  8. Digit 8 - column 1 row 1 (1)

Could you record it a couple more times, Reaper? More recordings will help.

0

Share this post


Link to post
Share on other sites

OK, thanks for the help. I have more recordings, but this one was the best I got. They were made with my Nokia phone (sorry for that :D). Next time I'll try recording it at night.

By the way, I know for sure that it is a nine digit number. After searching a bit I found a doc that says that there is a number for every state. So we could guess from this that the first one is number 9, and the second is possibly number 2. That is the area code of my state.

Also, the paper says that I need a v.23 modem to connect to the number or the payphone... Wikipedia says that I can put my modem in v.23 mode by changing the S37 register (http://en.wikipedia.org/wiki/Hayes_command_set). I tried it with the payphone number but I got a "no carrier" answer. In speed autodetect mode (0), at least I was able to get garbage in the terminal.

Payphones here react strangely. If you dial the number, the payphone answers automatically after a tone, and you can hear the noise of the street and the people talking (!!) and a few seconds later, the line is silent and the carrier answers.

The board doesn't allow me to upload any .amr or .rar files, so you'll have to deal with mega. (Hint! Sayonara to captcha and hidden links. xD)

http://www.megaupload.com/?d=DP73BG50

Edited by Reaper
0

Share this post


Link to post
Share on other sites
The board doesn't allow me to upload any .amr or .rar files, so you'll have to deal with mega. (Hint! Sayonara to captcha and hidden links. xD)

http://www.megaupload.com/?d=DP73BG50

... Don't insult me. I'll wait for someone to post the recording here.

Last time I checked, RAR wasn't an audio format. You're doing something wrong. Just post a plain WAV or MP3.

0

Share this post


Link to post
Share on other sites

Oh, I do not. Megaupload always gives me my daily ration of warez xD. I posted a rar just because they were a lot of files.

Anyway, finally I was able to get a good recording. Now the software DTMF decoders analyze some tones, even if they are wrong.

Here it goes.

15.wav

0

Share this post


Link to post
Share on other sites

Here is the section with only the tones, listening to the whole thing it sounds like a debit machine. Try getting closer to the machine to get a better recording.

tones_amplified.wav

0

Share this post


Link to post
Share on other sites

Hi,

It looks like you're running on Windows, but for anyone else who wants to perform this sort of thing on Linux (and possibly cygwin).

Multimon can decode DTMF files from wav file or audio input

http://pwet.fr/man/linux/commandes/multimon

Sox can also be used to filter (band pass) to clean up the audio.

Have fun,

Mungewell.

0

Share this post


Link to post
Share on other sites

I've been playing with this for few minutes with multimon/audacity...

kornholijo@tabby:~$ multimon -t wav -a DTMF tones_amplified.wav

multimod © 1996/1997 by Tom Sailer HB9JNX/AE4WA

available demodulators: POCSAG512 POCSAG1200 POCSAG2400 EAS AFSK1200 AFSK2400 AFSK2400_2 HAPN4800 FSK9600 DTMF ZVEI SCOPE

Enabled demodulators: DTMF

DTMF: 9

DTMF: 0

DTMF: 0

DTMF: 0

DTMF: 0

DTMF: 0

DTMF: 7

sox effects: resample clipped 6 samples; decrease volume?

sox sox: -: output clipped 2 samples; decrease volume?

After decreasing volume with sox I got same results.

Then I tried to "remove" the noise with audacity...

kornholijo@tabby:~$ multimon -t wav -a DTMF tones4.wav

multimod © 1996/1997 by Tom Sailer HB9JNX/AE4WA

available demodulators: POCSAG512 POCSAG1200 POCSAG2400 EAS AFSK1200 AFSK2400 AFSK2400_2 HAPN4800 FSK9600 DTMF ZVEI SCOPE

Enabled demodulators: DTMF

DTMF: 0

DTMF: 0

DTMF: 0

DTMF: 0

DTMF: 1

DTMF: 0

DTMF: 0

DTMF: 7

Now it "detects" 9 numbers..

The quality of the recording is poor.. I was playing with the amplified sound, going to try the original now, maybe different results..

After some more "noise removal", multimon doesn't detect any tones... hmm... attaching it.. (all the "filtering" probably screwed the tones up..)

We can assume that the first number is 9 and the last one is 7?

The easiest solution would be best to get a good recording, maybe with a pickup?

@chronomex: the 9th digit isn't very loud, I possibly can hear even the 10 digits? Or I am just tired ;o

tones4.wav

Edited by Kornholijo
0

Share this post


Link to post
Share on other sites
The easiest solution would be best to get a good recording, maybe with a pickup?

@chronomex: the 9th digit isn't very loud, I possibly can hear even the 10 digits? Or I am just tired ;o

I was using audacity to select the digit and then do a frequency analysis, decoding the digits by hand. It's not actually that laborious, just look for the highest peaks in each of the two frequency bands and look it up in a table.

What you're hearing as a tenth digit sounds to me like a ringback tone that comes on really fast. It's the same frequency as the later ringbacks, it's got weird time/amplitude dynamics, and (perhaps most convincingly to me) it's not a frequency used in DTMF.

The major issue with this recording is that the low tones of each pair keeps getting cut off. OP, can you hear anything that actually sounds like DTMF? Because it's not coming through in the recording. You should hear a distinctive dissonance between the two tones of each digit.

0

Share this post


Link to post
Share on other sites
@chronomex: the 9th digit isn't very loud, I possibly can hear even the 10 digits? Or I am just tired ;o

I hear the 10 digits as well.

I am just going to try to get the 10 digit number by just doing it one tone at a time, then compare with my phone.

I will post back if I find anything.

Edit:

So Far:

1st Digit = 9 (like stated before)

2ed Digit = 5 (not 100% I will compare after I get the other digits)

That is it, so far, I am at work and trying to work on a server and do this so it may take me a little longer.

Edited by biosphear
0

Share this post


Link to post
Share on other sites

You might not have realized yet that the last one was recorded at night and that I did it directly from the payphone's speaker. Anyway, I appreciate a lot your interest in helping me guys. Here's what I realized:

The 10th digit that some of you are hearing is indeed a ringback tone. I am able to hear it clearly after forcing the payphone to dial the number. I wonder why it connects so fast. I am also a 99% sure that there are only 9 digits as it is the standard here in Spain.

I also have read that the number is different in every state, so the first an the second digit could be "9" and "2", as those are the ones that belong to my city.

I'll keep trying to get better recordings, this time with some other hardware.

0

Share this post


Link to post
Share on other sites
Megaupload? Fuck that, post it on the board here. Megaupload sucks.

That's not nice, they're better than alot of other free download/upload sites and I wouldn't be able to get alot of porn otherwise.

0

Share this post


Link to post
Share on other sites
The 10th digit that some of you are hearing is indeed a ringback tone. I am able to hear it clearly after forcing the payphone to dial the number. I wonder why it connects so fast. I am also a 99% sure that there are only 9 digits as it is the standard here in Spain.

I have never heard a ringback connect so fast.

Any ideas any one???

0

Share this post


Link to post
Share on other sites
I have never heard a ringback connect so fast.

Way back in the day my girlfriend and I were on the same 5E. Calls completed about that fast.

0

Share this post


Link to post
Share on other sites

Disclaimer: I DO NOT condone any illegal activity, nor am I responsible for your actions. The information provided here is not illegal, nor was it illegally acquired.

I've decoded a lot of DTMF in my life, so I went ahead and took the time to come up with the 9 digit number you were looking for in your new recording. I did this 100% by ear, as all DTMF should be decoded; there is no better substitute! Here's your DTMF string:

9-0-0-1-1-1-0-0-7

Hopefully that's correct. As much skill as I've developed in decoding low quality DTMF by ear, I still screw up. Does the above string look like something that would be dialed in Spain?

0

Share this post


Link to post
Share on other sites

Yeah, but the automated lady says that the number is not in use. It's still amazing that you did this by ear.

P.D.: It's the first time I see a forum reply with a disclaimer xD Nice.

0

Share this post


Link to post
Share on other sites

Ok, I've gone over the tones very carefully by ear again, and I'm very confident about all the tones I decoded except for the three '1's that I threw in the middle. They are most definitely all the same tone, and share the single frequency of 1209 Hz, meaning it's a 1, 4, or 7. Below I have typed the strings and possibilities (of 3 DTMF strings) accordingly.

Here I typed the string using [1/4/7] in brackets to show that the tone is either a 1, 4, or 7:

9-0-0-[1/4/7]-[1/4/7]-[1/4/7]-0-0-7

Here I used variable y in algebraic terms, in which y is the exact same number, meaning its value cannot vary where it displays three times consecutively:

9-0-0-y-y-y-0-0-7

Based on the above information, we can be sure that there are 3 possibilities for this DTMF string. Here they are:

9-0-0-1-1-1-0-0-7

9-0-0-4-4-4-0-0-7

9-0-0-7-7-7-0-0-7

I can't determine the value of y because that tone isn't recorded well enough. Once again, I want to make it clear that I did this 100% by ear, since it's truly the only efficient way to decode low quality DTMF. Hopefully this time I've been more accurate. If y is truly all the same number, but it isn't 1, 4, or 7, then you could always scan the rest of the possible digits.

DTMF aside, this phone number you're trying to decode may be one that is only dialable from payphones. I'm not familiar with Spain's telephone network, but in America there are numbers that only answer to specific phone numbers or classes of service (types of phones) based on ANI and/or Flex-ANI information. If this is a number that the payphone's modem dials when there is a "hack attempt" made, then it should reach a carrier/modem when called. Keep that in mind if you're pondering anything.

EDIT: If I had to choose one DTMF digit that I wasn't 100% sure of (besides y), it'd be the 7 at the end. That last tone most definitely contains the 1209 Hz frequency. So if none of the three possibilities above for the DTMF string are correct, then it may be this last tone that's inaccurate. If this ends up being the case, you'd have to generate a new possibilities list. I still think it's probable that the last digit is a 7, but I can't help but wonder, considering that the quality is poorer than the other tones.

Edited by Royal
0

Share this post


Link to post
Share on other sites

I want to make another post based on Spain telephone numbers and their numbering assignments.

There are indeed 900 numbers in Spain, which are toll-free to the caller, and paid for by the owner. They're basically the same as toll-free 800/888/877/866 numbers in America. I found this information at http://www.andalucia.com/travel/telephone/numbers.htm. Here's a quote:

900 Numbers

900 numbers are freephone numbers in Spain. You do not pay for this call. The company offering this number is interested in receiving the maximum number of calls and will pay the full cost of these calls.

Here's another quote that precedes the one above on that same website:

The numbers 900, 901 and 902 are used by normal businesses to encourage you to call them and to allow them to operate nationally without the need for local numbers in each area. People are often very wary of calling businesses that they know to be on the far side of the country. For instance the Linea Directa insurance company uses a 902 number in all of their advertising. Do you know where there offices are?

Finally, I used Google to find a website that has their business's 900 numbers listed, followed by two '1's. The website is at http://www.log-cabin-insurance.com/contact.html. Here's a quote for that site:

Intasure

Suffolk House

George Street

Croydon CR0 1PE

UNITED KINGDOM

Sales Tel: 0845 111 0680

900 11 0680 (in Spain)

Claims Tel: 0845 111 0672

900 11 0672 (in Spain)

Admin Tel: 0845 111 0670

900 11 0670 (in Spain)

Fax: 0845 111 0682

900 11 0682 (in Spain)

Email: enquiries@intasure.com

This information makes me feel more confident about what I was able to decode by ear. 900 numbers are free to call, and it would make sense for a toll-free number to be dialed from a payphone line, since it belongs to a business, and especially if the payphone's line has toll restrictions to force customers to make coin deposits for toll calls.

0

Share this post


Link to post
Share on other sites

Hey folks, not sure why I didn't check out this thread before, but here goes:

By ear, I would say it's 900-11-1007, and I'm 80% positive on that.

0

Share this post


Link to post
Share on other sites

I have a recording of DTMF tones but I can't find anywhere to decode them. I've tried decoding by ear, but I have no sensory recall, so after a couple of notes, I'm lost. Any ideas on how to decode?

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now