Sign in to follow this  
Followers 0
ThoughtPhreaker

Switch bugs

37 posts in this topic

When you dialed 503-697-0053, you used MF tones afterward, and I assume you were signaling the desired ANI information to the VOIP adaptor. When I dialed normally, without MF tones, I got a reorder that was sampled a bit differently. Does this mean the ANAC doesn't work anymore, or that I also need to use the MF tones to get it to speak any numbers?

The MF tones were being sent to the ANAC on the other end. After the touchtones stop, the VoIP adapter basically drops out, and nothing is being sent to it anymore. The reorder just means that something went wrong with the signaling. However, since you can tell that the reorder is being sampled differently, you know it's coming from the ANAC (I guess you decoded the DTMF digits :) ). The standard signaling is KP + 3 + 7 digits + ST if you want the number to be looked up. I believe it's KP + 0 + 7 digits + ST if you just want the machine to tell you that the number isn't valid. That was done usually if the number was in an invalid thousands block, and a lookup wasn't necessary. I'm pretty sure I didn't mix up the 3 and the 0, so someone please correct me if I'm wrong.

0

Share this post


Link to post
Share on other sites

So I don't mean to pull a thread from the grave here, but I got to use an EWSD for the first time not too long ago. To make things more interesting, this switch is from my understanding, AT&T's red-headed step child. Finding an in-house tech who has a comprehensive understanding of how to deal with it is like finding a hipster in North Korea.

So I guess it's only natural I heard a couple of pretty weird things. For one, you didn't even need to use a CAC to get around the 0xx/1xx  blockade. While this is more an oversight then a bug, it gave kind of an interesting result. Since the call was placed on the "new" AT&T network (goes via ex-SBC/Bellsouth LD equipment), a DMS-250 decided this was a bad thing, and gave me a recording instead.

 

Also, a friend also gave me a recording of OSPS losing it's mind a while back. Usually dialing 101-0288-00 isn't a big deal; the extra zero is stripped out. But for whatever reason, the DMS-10 handling the call wasn't setup to do this, so the OSPS switch decided to go completely off it's rocker and give them an emergency call failure recording instead.

 

Sorry about the EWSD recording, by the way. The voice modem I had with me was the best option, and it kinda screwed up the sound of going offhook.

101-0288-00.wav

ewsd_2140401152.wav

0

Share this post


Link to post
Share on other sites

EWSD, DCO and GTD-5EAX switches are strange animals compared to 5ESS and DMS type switches. When we had something called pay phones (remember those?) it was fun going to places you've never been and explore these strange beasts. But now it's almost impossible to experiment.

0

Share this post


Link to post
Share on other sites
EWSD, DCO and GTD-5EAX switches are strange animals compared to 5ESS and DMS type switches.

 

You don't even have to look that far - try using a DMS-100 configured by Qwest sometime, they can be pretty strange.

 

It'd be nice if DECT base stations could help pick up where payphones left off. Especially now; there's a sudden very serious concern for privacy, and aggressive telco bundling at the same time. There could be demand for a network of public base stations. The implications of letting someone have at your phone line - spare or otherwise are pretty strong though. Still, it sounds like a great improvement over COCOTs, right? I can't count how many times a Protel phone has refused to dial a 958/959 number normally.

Edited by ThoughtPhreaker
0

Share this post


Link to post
Share on other sites

On ORCHWA01DSO (5E) you can sometimes(eh, fuck that) usually hold up another line in your exchange by calling it and staying on the line. The guy on the other end may physically hang up, but when he picks it up again, here you are tying his line up. This weird bug has been around for something like 20 years and is still a popular prank junior high kids play to get back at each other for whatever.

I once had an older neighbor on my exchange (254, at the time) who had a habit of forgetting to shut off her cordless phone when she was done talking to me (so she'd just set it down on the table and walk away from it). Five minutes later I'd go to make another call and there it was, picking up her TV set audio blasting away in the next room. I'd sometimes go hoarse yelling into my phone to get her attention so she'd hang up and release my line...

As far as I know this only works within the same exchange in that office (e.g. 254 to 254), not across exchanges (e.g. 256 to 892, or even 254 to 256).

0

Share this post


Link to post
Share on other sites

Wow, that's awesome. Someone told me not too long ago that BT reconfigured all their switches to have much shorter release guard now as a response to scammy sorts giving people incoming calls with fake dialtones. It was long (three minutes-ish?), but not indefinite like on that switch.

0

Share this post


Link to post
Share on other sites

Wow, it had that much of an impact? Awesome! smile.gif

There's also another bug on the DMS-100, but if I understand correctly, it only works on ones that have old software/that were configured by doug. It's not fraudulent, but because it's way too leet to be posted out in an open forum, I'll just say that you might've tried it if you dial with CACs a lot.

Also, I really need to update that article sometime :/ .

Could you tell me what carrier access codes do exactly? I get that they change you a different long distance carrier for the duration of the call, but how exactly does it work. I would try it but I'm worried about getting billed a lot, since the landlines at my house are my parents's.

Edited by d3crypt
1

Share this post


Link to post
Share on other sites

Basically, it's just a code that tells your switch which long distance carrier should place your call. If you dial a long distance call without it, it'll use whichever carrier access code you're pre-subscribed to. So for example, if you 229-430-0002 and you have Sprint long distance, your switch will act as if you dialed 101-0333-1-229-430-0002. That particular number is pretty safe to casual dial if you want to try it.

 

That's all well and good - you can use these to play with long distance equipment in whatever way you want. But it can also be a little like walking through a minefield, so you always have to be careful. If you're playing a call on a long distance network without subscribing to it, you're doing something called casual dialing. Since phone companies generally don't like casual dialing, the rates are usually insane for it. Like, $5 for a two minute call insane. So there's a few things to keep in mind;

 

1) Casual dialing is fun, but you have to be absolutely sure the call doesn't supervise. Usually this means calling it on whatever long distance carrier you're subscribed to normally. One good way to test - at least on a 5ESS or DMS-100 is to try flashing during the call. If you don't get a stutter dialtone, it hasn't suped yet.

 

2) Beware of Alaska and rural areas. Since it can be expensive to terminate calls there, some cheaper carriers use what're known as black or grey routes to re-originate traffic. Basically, it means offloading traffic onto something that can make the call look local so they don't have to pay termination fees. Or sometimes, placing the call over a residential/business long distance account. Sometimes though, they'll put you on regular phone lines or cell phones, which can't convey supervision properly. Basically what this means is it'll look like the call has supervised right away. In practice, most of the time you'll see this on cheap calling cards and voip providers.

 

The AT&T (0288), Verizon ex-MCI (0222), Verizon ex-Worldcom (0555), and Sprint (0333) long distance networks basically never do this in my experience.

 

3) The stakes are even higher with international calls. If you're calling an expensive country, well, yeah. Black/grey routes are out there no matter what carrier you use. Also, fraud is sometimes done via casual dialing, so if you make a lot of calls, even if they don't supe, expect someone to block you. A few years ago, I was trying to make a recording of Morocco's international gateway switches via MCI. It didn't supe on the calling card platform, but the call timed out faster on there then on the long distance network. So I made a few casual dialed calls to the same number. Those didn't supe either, but they did block me for it.

 

4) There are some things that're free to call, like UIFNs (country code 800). That's a whole other story altogether, but it's one place where casual dialing is basically zero risk.

 

If you do get a bill for a casual dialed call you didn't place, you can usually just call customer service, explain that to them, and they'll likely just tell you to tear the bill up. But if you go that route, they'll probably block you anyway. Alternatively, if you really want to use the carrier, ask if they have any long distance plans without monthly fees. For example Sprint will give you some small amount of mintues per month, like 50 for free if you have a cell phone plan with them. Just be sure to tell them you don't want your line to be pre-subscribed to their CAC if you have some other long distance plan.

0

Share this post


Link to post
Share on other sites

Since phone companies generally don't like casual dialing, the rates are usually insane for it.

 

..." but you have to be absolutely sure the call doesn't supervise."

Heed his warning. One time, I called Missouri (573 NPA) from a part of Houston, Texas (713 NPA) using Sprint and they had the decency to charge me $5.92 for a one-minute call.post-52317-0-40367300-1418867303_thumb.p <----

 

"If you don't get a stutter dialtone, it hasn't suped yet."

 

However, if you're in AT&T's area and your parents subscribe to Complete Choice Enhanced or All Distance (perhaps even an older plan), you WILL get the stuttered dial tone for every call whether it's a supervised call or not. (I don't know if that happens outside of Texas or maybe because of the Three-Way feature...)(I'll update this if I stand corrected)

 

Also, if you really want to make sure if your call hasn't supervised, use a calling card. Why?

Calling cards generally report the balance it has remaining for use so... use it to your advantage (though I wouldn't recommend using it even if for a domestic call costing 1 cent or 2, assuming you have no long distance provider). 

Ex. Using a calling card from IDT, I dial Hotel Pennsylvania (PE6-5000) which uses up 5 cents = ($1 - 0.05 = 0.95) 

14121708.MP3(apologies if it sounds robotic)

 

The reason why I chose PE6-5000 was because it is a supervised number and since my calling card deducts the cost for the call as soon as it supervises, it's a great way to tell the difference (however, using calling cards from callingcardplus.com "might" not be as informative since it deducts after a half-minute or full minute has passed)

0

Share this post


Link to post
Share on other sites

My carrier must block cacs <_<. Can't even make a call with one to a 1-800 number.

0

Share this post


Link to post
Share on other sites

If it's a POTS line, they're legally obligated to allow CACs. But you can't do toll-free over a CAC; the way it works is when you dial a toll-free number, your switch does a lookup in a toll-free database called SMS-800. From there, it gets a destination to route the call to, and a long distance carrier to route it with. Long distance tandems can't do SMS-800 dips, and it wouldn't really make sense for them to since they'd be just turning around and sending traffic back to another long distance carrier a lot of the time.

 

But if you have a chance to enter a toll-free directly into a long distance tandem, you can get lucky sometimes. For example, on Verizon's ex-MCI/0222 network, the DMS-250s (but not the DEXes. You can usually tell from the recording) will send the toll-free number to a few different CLEC end offices MCI owned: New York, Chicago, Portland, Dallas, and...crap, I can't remember the other one. But there's at least one more. I'm not sure what circumstances the DMS-250s will give you dialtone from. It might be like Sprint where they'll only give you one if you subscribe to one of their plans.

 

And then there's AT&T. There's some circumstances where you can just pick up, dial 101-0288# and get a dialtone even if you're not a subscriber. I think only in places where they have 5ESS "edge" tandems. You can give the switch a toll-free number, but it doesn't do SMS-800 dips. So it'll mostly just complete calls to AT&T toll-frees, but if you try calling other toll-frees, sometimes you'll get weird things. Like 800-244-1111, one of Qwest's toll-frees, will get you a CBCAD recording from a McleodUSA DMS-500. My guess as to why this happens is when Qwest was US West, they had no long distance network; Qwest was a long distance company that acquired US West and ported all their toll-frees to their own network. Anyway, before that they probably had an AT&T toll-free. With time, that old data just sat there unchanged in AT&T's long distance switches, and there was an area code change or two. So we're just hearing the results.

0

Share this post


Link to post
Share on other sites

If it's a POTS line, they're legally obligated to allow CACs.

Yeah, but I wouldn't put it past some companies to act like little things like FCC rulings don't apply to them. (Anybody here [besides me] old enough to remember United Telecom in its last decade?) Even in the early 90s, well into the "equal access" era, you wouldn't believe some of the trouble my parents had with GTE, getting off Sprint (pwned by GTE then) to make CAC calls on AT$T via 10288. GTE had cut our office over to an EAX toward the end of the '80s so it wasn't like we were still on the step exchange that was hard-wired to a particular carrier.

So they may be legally oblifated to, but nothing's going to stop a holier-than-thou phone company from acting like they're above the law, wrong as they are.

But you can't do toll-free over a CAC

Well, you *can* call 1010288 0, give the operator the number and have her dial it, but that's not entirely the same thing...
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0