Sign in to follow this  
Followers 0
ThoughtPhreaker

Switch bugs

37 posts in this topic

Back when I was served out of a DMS-100, I found out that it was possible to force the switch to keep you connected to the ANAC trunk if you flashed at just the right time. It's not very useful, but it could show a lot of potential for some more interesting results.

The way it works is, right as the ANAC starts reading off the last four digits of your number, flash, and click back sometime around the very last digit. I forgot if it's before, in between, or after the digit, but it's pretty easy to get the hang of once you've got it. If you flash back too late, the DMS will see the ANAC hanging up, and keep you stuck to the three-way dialtone. As you might've guessed, it'll disconnect you as usual if you flash back too early. If you flash back at just the right time, though, you get to stay on and hear the ANAC give you the fake reorder/weird hum/whatever it does after it's finished until the end of time. Not very interesting, sure, but it's a start on what could be a pretty cool bug, right?

Obviously, you can't use this to hold up a regular subscriber, since you'd have to be able to predict exactly when to flash back, but you can predict when something like an IVR, or a recording is going to disconnect, right? What if you were able to get yourself stuck to, say, an outgoing trunk, or a line card or something using the same technique? I dunno about you, but I think that'd be pretty cool :) . By the way, if you were hoping to find a way to MF into an outgoing trunk or something like that, you might as well forget about it. See, unless you're sitting on a TOPS trunk or something like it, the DMS isn't going to pass along supervision, and even if it did, it'd be passing along flashes at the same time, so it wouldn't let you click over.

As for the other switches, I can't say a whole lot, but you can bet this is the first thing I tried when I found the ANAC number on my 5E line. Even being as loud and ghetto as it is, the 5ESS is a bit harder to fool. Even if you manage to click back right as the ANAC hangs up, it's going to see it, and you'll get dropped. At least, that's the way mine is. Yours could be set up differently.

As with anything, 5Es aren't perfect, though. Not more than a few months ago, I had the weirdest experience I think I'll ever have on the phone. I picked up and made a long distance call to a bridge, but as soon as I finished dialing, the number was ringing. I figured the bridge could've just been broken, and for one reason or another, I flashed. As soon as I did, I got ringing voltage sent back to me! As you might imagine, I was pretty confused, so I hung up and tried calling it again. The bridge worked without a hitch.

0

Share this post


Link to post
Share on other sites
Back when I was served out of a DMS-100, I found out that it was possible to force the switch to keep you connected to the ANAC trunk if you flashed at just the right time. It's not very useful, but it could show a lot of potential for some more interesting results.

Being an "inside-out" person with the phone network as I am, I can't help but wondering with a burning curiosity exactly how this works with regard to the switch itself-the actual reasons in the hardware and software as to why this works as it does. I would like to state for the record also that this is one of the most interesting topics ever to be posted on Binrev. Leave it to ThoughtPhreaker to post it. :) My immediate addition may seem rather inferior, but I may edit this post later to add some of my experiences with switch oddities. Here is a link to an article in the Winter 1993/1994 issue of 2600 regarding switch identification ideosyncrisies. It isn't extremely helpful, and I am not certain if these can be considered "bugs", but I thought it an interesting little column of text:

http://72.52.208.92/~gbpprorg/2600/know.jpg

(Note: I absolutely DO NOT condone the website that this was discovered on, but it was the only location in which I could find it).

Edited by The Philosopher
-1

Share this post


Link to post
Share on other sites

That is really interesting. I think I'll get a landline again because of this thread. :)

Also check out ThoughtPhreaker's Switch Descriptions.

0

Share this post


Link to post
Share on other sites

Wow, it had that much of an impact? Awesome! :)

There's also another bug on the DMS-100, but if I understand correctly, it only works on ones that have old software/that were configured by doug. It's not fraudulent, but because it's way too leet to be posted out in an open forum, I'll just say that you might've tried it if you dial with CACs a lot.

Also, I really need to update that article sometime :/ .

0

Share this post


Link to post
Share on other sites

Years ago, my home town was served by a 2ESS. I found a non-useful bug on the 2E: If you picked the phone up and then hung up at the exact instant that the dial tone would come on, the scanning circuitry would hiccup. When you picked up the line immediately afterward, you'd hear a slight whirring noise for a few seconds, then the line would go dead in much the same way as it did in the permanent signal condition.

The 2E went away in the mid-1980s, replaced by a 5E remote.

0

Share this post


Link to post
Share on other sites
Years ago, my home town was served by a 2ESS. I found a non-useful bug on the 2E: If you picked the phone up and then hung up at the exact instant that the dial tone would come on, the scanning circuitry would hiccup. When you picked up the line immediately afterward, you'd hear a slight whirring noise for a few seconds, then the line would go dead in much the same way as it did in the permanent signal condition.

The 2E went away in the mid-1980s, replaced by a 5E remote.

That happens on 5ESSs too, or at least on mine, using pretty much the same method. It always takes a few tries, and I don't even know when the exact right moment is, but it works. When I call my home phone when it's "dead," my switch's AIS eerily declares it disconnected. There's no whining noise though, the line just goes totally dead.

Another weird thing about some or maybe all 5ESSs is their three way calling/"flashability." I don't know if these are bugs or quirks, or if they happen on all 5Es, but at least my switch allows you to flash as long as a real call (one that is not going to an error recording within the switch, is there a term for this?) is being placed. This is incredibly useful, it allows you to determine ring outs much more accurately, you can just place another call while you're waiting to find out if the first number you called was indeed a ring out. I'm not sure if this is also applicable to all 5E's, but one way my switch handles some call release cause value (the message sent back through the SS7 channel from the terminating switch that describes why the call was "released") is with a ring out. Of course, this goes to nothing, but these aren't flashable, so these are also easier to determine. The thing is, there are some inconsistencies with my switch's flashability, some numbers aren't flashable even though they do terminate to real numbers. If anyone could tell me why this happens, that'd be really appreciated.

Also, thoughtphreaker told me about another 5ESS bug that he discovered. If you rotary dial/flash a vertical service code, in his words, it puts the switch into a different mode than if you were to dial the code using touch tones. Touch toning * or # won't even break the dial tone under this condition.

Edited by samo
0

Share this post


Link to post
Share on other sites

Not sure if this happens with all 5E's, but one I was playing with a couple of years ago would not go back to dial tone after a call disconnected. You'd get the clicks you always get before dial tone comes on, but no tone...the line would just sit there and eventually go to the perminant signal recording. What was a little creapy about this was you could dial when the line was silent and your call would go through normally.

0

Share this post


Link to post
Share on other sites
Not sure if this happens with all 5E's, but one I was playing with a couple of years ago would not go back to dial tone after a call disconnected. You'd get the clicks you always get before dial tone comes on, but no tone...the line would just sit there and eventually go to the perminant signal recording. What was a little creapy about this was you could dial when the line was silent and your call would go through normally.

That's pretty weird. Where and when was this? All 5E's in my experience (and 5XB and 1XB and Panel too) go to PS after disconnection. I just tried it and couldn't get anything by dialling after the call disconnected.

Step switches, however - the calling party can disconnect at any time, so the called party gets dialtone immediately if they're still on the line. But the called party can't disconnect the call; they just get the calling party again and again.

Edited by chronomex
1

Share this post


Link to post
Share on other sites

I saw this in the White Plains 5E (914-WH9) about 3 or 4 years ago. I made some recordings from there, will have to dig through the tapes to see if I captured this particular behavior.

0

Share this post


Link to post
Share on other sites
Years ago, my home town was served by a 2ESS. I found a non-useful bug on the 2E: If you picked the phone up and then hung up at the exact instant that the dial tone would come on, the scanning circuitry would hiccup. When you picked up the line immediately afterward, you'd hear a slight whirring noise for a few seconds, then the line would go dead in much the same way as it did in the permanent signal condition.

The 2E went away in the mid-1980s, replaced by a 5E remote.

That happens on 5ESSs too, or at least on mine, using pretty much the same method. It always takes a few tries, and I don't even know when the exact right moment is, but it works. When I call my home phone when it's "dead," my switch's AIS eerily declares it disconnected. There's no whining noise though, the line just goes totally dead.

Another weird thing about some or maybe all 5ESSs is their three way calling/"flashability." I don't know if these are bugs or quirks, or if they happen on all 5Es, but at least my switch allows you to flash as long as a real call (one that is not going to an error recording within the switch, is there a term for this?) is being placed. This is incredibly useful, it allows you to determine ring outs much more accurately, you can just place another call while you're waiting to find out if the first number you called was indeed a ring out. I'm not sure if this is also applicable to all 5E's, but one way my switch handles some call release cause value (the message sent back through the SS7 channel from the terminating switch that describes why the call was "released") is with a ring out. Of course, this goes to nothing, but these aren't flashable, so these are also easier to determine. The thing is, there are some inconsistencies with my switch's flashability, some numbers aren't flashable even though they do terminate to real numbers. If anyone could tell me why this happens, that'd be really appreciated.

Also, thoughtphreaker told me about another 5ESS bug that he discovered. If you rotary dial/flash a vertical service code, in his words, it puts the switch into a different mode than if you were to dial the code using touch tones. Touch toning * or # won't even break the dial tone under this condition.

Answer Supervision is what you're thinking of. Most 5ESSes won't let you flash over on three-way calling unless the first call supervises (answers). However on my 5ESS switch, I can flash over regardless of supervision status, which has its pros and cons. It's nice to be able to make 2 calls very quickly, but it also sucks to not be able to test if a call supervises.

If you're able to determine ringout bridges this way, then that means the ones you found were supervising while the ring tone played. Not all ringout bridges supervise when they ring though, so keep that in mind.

Edited by Royal
0

Share this post


Link to post
Share on other sites
Not all ringout bridges supervise when they ring though, so keep that in mind.

I actually haven't seen any that supervise, like, at all. Has anybody else? I could just be unlucky. Also, this is a bit off-topic, but there's a few other unique noises that switches make. I'm not sure about the rest of the switches in the PSTN, but there's another way to tell the difference between a DMS-100 and a 5ESS. When you get routed to an AIS, it makes a different sound.

I'm not sure how the best way to explain it would be, so here's two different numbers routing to the same AIS. Listen closely;

914-235-9925 - 5ESS

516-593-9950 - DMS-100

If you want another way to tell the difference between switches, check the thread on ring types.

0

Share this post


Link to post
Share on other sites

ThoughtPhreaker is correct that ring types are a good way to tell what kind of switch you're dialing into. Another way is to see how centralized intercept comes on and plays. Finally, you can almost always tell from a non restricted outgoing line. 5ESS and DMS-100 are the most common types and are easy to determine. GTD-5 (aka 5EAX) is fairly common and somewhat easy to figure out. It's been a while since I played on a DCO so I don't know how well I can determine what kind of switch it is without looking up on a database.

Other than the very few Redcom switches out there - anyone know what other switch types are still in use? A database shows a SC ESC-3 still in use in rural Georgia. Dunno if that is true or not.

0

Share this post


Link to post
Share on other sites

One more thing about 5ESS's. So the ring back in my area is 511, as it is throughout chicagoland (to my knowledge). 511 is also a N11 code though, so these two numbers conflict a little. I used to think that the only way to reach 511 (the n11 code) was to dial 511, and then wait for a while for the switch to give up on receiving digits and connect the call. I also noticed that dialing any invalid number (including partially completed valid numbers), and then pressing pound, would connect you to a recording from the switch declaring the call invalid. Well, I put two and two together and dialed 511#, and I was connected to the 511 N11 number immediately (I think it's actually just an error recording parked on a tandem somewhere around here, not an actual service). So, longs story short, I believe that # is somewhat of an "enter" button for 5ESS's. Dunno if this was common knowledge. It could be used to find special numbers belonging to the switch that are shorter than normal. Can we please keep this thread going?

0

Share this post


Link to post
Share on other sites
I believe that # is somewhat of an "enter" button for 5ESS's.

That's been around even in the 1ESS. Most commonly, it was used as an "enter" key for 01+/011+ international calls, so that the switch wouldn't have to wait and see if any more digits were forthcoming.

0

Share this post


Link to post
Share on other sites

Another somewhat common switch not mentioned so far is the Siemens EWSD (digital switch made starting in the late 80s)...I was served by one for a while until I got VOIP. Have a couple of recordings from it I can post if anyone wants, mainly getting a dialtone and calling a disconnected number.

0

Share this post


Link to post
Share on other sites
Another somewhat common switch not mentioned so far is the Siemens EWSD (digital switch made starting in the late 80s)...I was served by one for a while until I got VOIP. Have a couple of recordings from it I can post if anyone wants, mainly getting a dialtone and calling a disconnected number.

I'd love that. There are a bunch of EWSD's in my area code, they seem to be replacing all the old switches in my area, I hope to use a payphone on one in the future. Thanks.

0

Share this post


Link to post
Share on other sites
I'd love that. There are a bunch of EWSD's in my area code, they seem to be replacing all the old switches in my area, I hope to use a payphone on one in the future. Thanks.

JmanA9 made a few recordings from an EWSD as well, but I'm not sure what he did with him. I'm surprised nobody on a DMS-100 has tested the bug I posted above, though. It could yield some interesting results if the end office refuses to release the trunk on an intra-office call. I'm betting the tandem would freak out. If by perchance you've tried it, please post results :) .

0

Share this post


Link to post
Share on other sites
I'd love that. There are a bunch of EWSD's in my area code, they seem to be replacing all the old switches in my area, I hope to use a payphone on one in the future. Thanks.

JmanA9 made a few recordings from an EWSD as well, but I'm not sure what he did with him. I'm surprised nobody on a DMS-100 has tested the bug I posted above, though. It could yield some interesting results if the end office refuses to release the trunk on an intra-office call. I'm betting the tandem would freak out. If by perchance you've tried it, please post results :) .

What recording? :)

http://jmana9.com/audio/TurtleCreekEWSD.mp3

Wow, I made that recording so long ago.

0

Share this post


Link to post
Share on other sites

On the Higland Park DMS-100, a strange thing happens when you flash on the local error messages of the switch (the ones you get from dialing something invalid, for example). When you flash on one error recording, you hear a short ring to the same error recording from the beginning. Flashing again gives you silence, and then flashing once more actually hangs up. Flashing on another error recording results in a very loud off-hook tone, flashing again gets you silence, and then one more flash hangs up. It's a pretty old switch, If I remember, but I have no idea why this happens and haven't heard of anything similar to it. Here's a recording of flashing on the error recording that rings again.

DW_A0062.wav

0

Share this post


Link to post
Share on other sites

Wow, that EWSD rings when giving intercepts...the ones I played with never did that. Here's a non-working number in one of them in my NPA that doesn't ring before it gives the recording:

(203)426-0000

0

Share this post


Link to post
Share on other sites

Seriously? I thought all switches did it with internal announcement systems (except GTD-5s, since they're cool enough to be integrated with EASes) to queue calls? Try placing two calls up to the recording at once. Generally, at least on smaller switches, you'll get the recording on the second line as soon as the first goes to reorder/drops.

0

Share this post


Link to post
Share on other sites

The EWSD I was served out of as a kid never rang for anything but an actual number. The first time I ever heard a switch do this was when I was playing with the phone at my grandma's (5ess) and it rang after leaving the phone off the hook too long (this scared me since I thought an operator was going to come on). The EWSD just would always dump you right into a recording, or in the case of perminant signal play a few seconds of high tone first.

0

Share this post


Link to post
Share on other sites

JmanA9,

I was listening to your recordings and had a few questions:

503-697 anac: What kind of dialtone is that/how did you get it?

Also, does the 724-548-5864 ANAC read out your ANI? It sounds like Verizon voice talent.

0

Share this post


Link to post
Share on other sites
JmanA9,

I was listening to your recordings and had a few questions:

503-697 anac: What kind of dialtone is that/how did you get it?

Also, does the 724-548-5864 ANAC read out your ANI? It sounds like Verizon voice talent.

Kayara,

That dialtone is coming from my VoIP adapter. I changed it to sound like that so I could easily distinguish between my POTS line and my VoIP line. On a Sipura VoIP adapter, you can make the dialtone any combination of tones you'd like.

That ANAC does read your ANI. It's actually owned by Windstream, and the lady who does the recording is Pat Fleet. She's probably the most widely used voice on the network.

Let me know if you have any more questions.

0

Share this post


Link to post
Share on other sites

When you dialed 503-697-0053, you used MF tones afterward, and I assume you were signaling the desired ANI information to the VOIP adaptor. When I dialed normally, without MF tones, I got a reorder that was sampled a bit differently. Does this mean the ANAC doesn't work anymore, or that I also need to use the MF tones to get it to speak any numbers?

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0