Sign in to follow this  
Followers 0
Partyline4

Ripe old questions

27 posts in this topic

Hello everyone! I recently got very interested in telephones and have found myself inveloped in some rotary, and pre-1980's telephones.

Playing with them constantly,  I pondered a curiosity. How did people find the numbers of anonymous payphones, or people for that matter?

I'm sure there was a directory, but there had to be those people who did not have a LISTED telephone number.

the question branched from reading about " Captain Crunch" and his crazy phreaking days. How did the blind kid, and himself know how to infiltrate the telephone systems?

I personally think someone on the inside leaked info, maybe just enough to lead them onto their discoveries. from the little I know, I think back then the carrier signal was not hidden? Correct me please.

I recall from his main website that he gave out the pay phones in the prison's numbers to the guys so the families could call back. How did he do it?

Just a curious knowledge seeker.

And since I am brand new, are there any threads that list the terms and info about everything thelephony?

Like the trunks, scanners, and all this stuff everyone else seems to know :P
ThanksknahT

- PartyLine4

Edited by Partyline4
0

Share this post


Link to post
Share on other sites

Yes, there were leaks about the internal workings of the Bell System, both intentional and unintentional. Leaked, found or published Bell System Practices, intended to explain the inner workings of the Bell System for the linemen, switchmen and other employees, also provided some insight into parts of the system.

 

With ANI and ANAC lines, you can dial a known number from a phone and get the number read back to you. Give (800) 444-4444 a call and MCI will read your number back to you. Not sure how long these particular services have been available. Test numbers in general can provide a lot of interesting information. Check around the forums for the "Some Numbers" thread!

0

Share this post


Link to post
Share on other sites

Golly, thanks Glitch. Never even thought about Bell giving that info out. Seems pretty obvious.

I read that in canada, the payphones can not recieve calls. Pretty interesting.

Ever checked out the phone-project site? Gives you numbers of payphones across the US.

I tried a lot of them in my town, but many of them were probably stolen or have been removed.


I tried the 444-4444 :) Pretty cool!

*67 can't really block your ANI can it? seems to cliche.

I've heard about trunk stacking or something like that? Tricks to stay anonymous would be a good thread!

Edited by Partyline4
0

Share this post


Link to post
Share on other sites

Fortunately, a lot of the BSPs are available online for free, so it's easy to get them to read up on old equipment. I've made extensive use of them in figuring out the Bell 1A2 key telephone hardware, of which I have several bits and pieces.

 

know several pay phone lists have extisted in the past, don't know who's the most current anymore. BlackRatchet's YAPL (Yet Another Payphone List) appears to now be domain squatted by some Russian air conditioner company. Unfortunately, may of the pay phones in our area have been removed. There are at least two in town though.

 

I'm not too familiar with how *67 works, but I doubt it really blocks ANI, just CID for the destination number. Search around for "ANI fail" to look at ways people have used to get a true fail.

 

There's a good thread elsewhere in the forums about cheeseboxes. In short, it's a device that you connect to two phone lines that, in its simplest form, picks up on one and waits for the other to pick up, then connects the calls. More advanced versions allow one to dial out on the other line. Apparently these were left in telco boxes and telecom rooms for anonymous meetings.

0

Share this post


Link to post
Share on other sites

I'm not too familiar with how *67 works, but I doubt it really blocks ANI, just CID for the destination number. Search around for "ANI fail" to look at ways people have used to get a true fail.

 

 

The way it works is when you dial *67, your switch adds an extra bit into the SS7 initial address message (where both of your ANI fields, among other things are stored) telling the office you're calling not to deliver it to the end user. Since this isn't actually removing any fields, some equipment will just ignore this, or even strip the bit in some cases. The FCC frowns upon this, though, so it's usually a mistake or something that isn't talked about by providers.

 

I've heard about trunk stacking or something like that? Tricks to stay anonymous would be a good thread!

 

Tandem stacking? There's some good examples of Evan Doorbell doing that here; http://www.wideweb.com/phonetrips/

 

In everything except very rare cases, though, tracing is a matter of just looking at logs. Aside from using a phone that anyone has physical access to, you'd probably want to transmit an ANI fail over multiple providers.

Edited by ThoughtPhreaker
0

Share this post


Link to post
Share on other sites

How does one do an ANI fail?

*67 definitely doesn't do much for anything outside of local calls. 1-800-444-4444 recongnizes the number through *67, so I guess anything could, really.

At my community college, there are these red emergency phones scattered all over the campus. Kids use these to make calls and such. They are the old style Bell wall phones, but made of cheap plastic.

I bet I could get the numbers from them, and have some fun :P

Also the teachers phones in their classrooms would be a good hit.

0

Share this post


Link to post
Share on other sites

Hello,

Well it's not really an ani fail but more so failing your charge number and then settinng your calling party number.

There's some voip carriers will send a fail behind your calling party, so.. just set your cpn to letters or something to break it and it'll pass unavailable. However 8004444444 will do weird things when you fail to it. 4443333 will just read cpn.

0

Share this post


Link to post
Share on other sites

 

know several pay phone lists have extisted in the past, don't know who's the most current anymore. BlackRatchet's YAPL (Yet Another Payphone List) appears to now be domain squatted by some Russian air conditioner company. Unfortunately, may of the pay phones in our area have been removed. There are at least two in town though. 

 

 

 

Oh man for real! that was a good site.. But yeah.. *67 just changes the presentation to withhold the calling party number from the called party. But it's usually in the p asserted identity or remote party id when using voip, even though the party called, will get private or anon displayed, it's in the headers. (depending on what's being sent from your downstream) 

 

 

0

Share this post


Link to post
Share on other sites
How does one do an ANI fail?

 

The tried and true way to do this is to just call the operator, say you're special, and ask her to dial something that's local or toll-free. There's also ways of changing one of your ANI fields using a combination of call forwarding and one other custom calling feature.

 

There's some voip carriers will send a fail behind your calling party, so.. just set your cpn to letters or something to break it and it'll pass unavailable. However 8004444444 will do weird things when you fail to it. 4443333 will just read cpn.

 

In practice, not all of them do this but most toll-free carriers require you to send a valid number for the call to route. This is why calling card services and equipment intentionally sending an ANI field will send your number as just an area code, if not a generic number. Some Paetec numbers in particular are actually pretty funny. If you send partial ANI as part of your CPN field but leave everything else intact, the call will fail.

0

Share this post


Link to post
Share on other sites

 Do the phone companies monitor these threads? Probably...


I assume most of the users on binrev use cellular devices...

Edited by Partyline4
0

Share this post


Link to post
Share on other sites
How would you do it from a LandLIne?

 

The method I described with an operator works exclusively with landlines.

 

 Do the phone companies monitor these threads?

 

Better yet, does it matter? The ANI fail trick is something that's worked for a good while. Network security people almost assuredly know about it; this is caused by a bug in TOPS, the DMS-200 based platform that runs operator services. Dialing numbers for "special" people is a service the FCC requires the local phone company to offer, though, and the bug doesn't give any risk to the operating company's equipment being compromised or exploited. The motivation to fix it is probably very low.

0

Share this post


Link to post
Share on other sites


So basically, your getting the O to make the call for you? Say, if you call the operator, wouldn't they know who you were? Possibly leaving a log behind?

Sorry about saying you didn't explain. I was viewing the site over a mobile device and flipped through your other post on this thread.


 

Edited by Partyline4
0

Share this post


Link to post
Share on other sites
So basically, your getting the O to make the call for you? Say, if you call the operator, wouldn't they know who you were? Possibly leaving a log behind?

 

If you do it frequently, they will start to recognize you. If this is a concern, you might want to consider calling in during a different shift. Most aren't going to care unless it's clear you're doing something like harassing someone, though. In that case, you might want to reconsider what you're doing - anonymity isn't a replacement for good judgement.

 

As for logs, sure. Even electromechanical equipment had ways of producing call logs. I'd be very surprised if you found anything that didn't. This all relies on what number the equipment received, though. If something that passes ANI receives an ANI fail, it's likely going to pass that fail on and leave nothing but a fail for incoming and outgoing in the logs.

0

Share this post


Link to post
Share on other sites

You can ask for special flag on your account that indicates you're special. Then you won't have to worry about it.. but just use sip and test.

0

Share this post


Link to post
Share on other sites

So basically, your getting the O to make the call for you? Say, if you call the operator, wouldn't they know who you were? Possibly leaving a log behind?

Sorry about saying you didn't explain. I was viewing the site over a mobile device and flipped through your other post on this thread.

 

 

Getting, or convincing an operator to dial a number for you is known as 'Op-diverting' and was the standard method of anonymizing a call for a very long time.  Generally the op could find out who you were, or have "log" info, but in reality most telco employees were/are completely unaware of the idea of fraud or phreaks. "Hi there, I'm blind and having trouble dialing a number" worked for a long time, but then they got wise and some telcos started keeping track of which lines belonged to the blind and Deaf/HoH. It was much easier to fake an equipment malfunction like "I'm trying to call 555-1119 but the 9 button on my phone isn't working... I'm real sorry to bother you, but I'm really worried about my blah blah and need to make this call" worked like a charm for years. For a couple of years in the late 90s an early 2000s we were able to use an automated op-divert through a 10-code (later 10-10 code) system. The most popular was AT&T at 10-10-288 which is AT&Ts code. When you added a 0 to the end of the code you could get a prompt to dial even a toll free number, this would not only cause an ANI fail and re-assign a new ANI, sometimes it would assign an AT&T owned (ie; shows up as a phone in an office inside of AT&T) ANI and CID, or fail so hard it would assign a 6 digit ANI that started with a 1. the MCI ANAC 800-444-4444 is not a true ANAC and just reads back CID info, you can easily spoof this ANAC. There are still some good ANAC/Testing numbers out there that will give you true ANI, ANI II, and other test numbers. They're in the 800-555-xxxx exchange. I'll leave you to find them yourself ;)

 

In the mid 2000s manually op diverting started to get pretty hard, and when you could pull it off they would generally forward your ANI. The way me and my friends got around this took a lot of work. We opened every large box we could find, we called them Junction Boxes but I have no idea if we were correct in that, and looked for phone numbers written by line techs. Over time we compiled a list of numbers that they seem to call quite often and devised part of an exchange that belonged to internal departments of our ILEC. We scanned them, social engineered info out of them, and eventually had enough names, numbers, and information to get pretty much anything we wanted. I could call Brenda at XXX-0806 and tell her I was another employee (and used a real name she would know, but someone in a different town than her) and I lost my company directory and get her to transfer me to "John in Atalanta" or something like that. Once I did that I was calling within the ILEC carrying an internal ANI and they would do anything I wanted, give me a line out, transfer me to RCMAC, run tests, or anything really. 

 

I know this doesn't really answer your question but it reminded me of how we (my friends and I) did it in the 90s and 2000s. 

Edited by Bizurke
0

Share this post


Link to post
Share on other sites

excellent info " thought criminal"

I just tried 1800-555-1234 and it was some sweepstakes winner bit. :P

How would I find these ANI, and ANI 2 numbers other than just guessing?"

What is RCMAC?

I noticed that on my BELL 2500, if i press 5 AND 6 together, I get a pretty neat tone.

0

Share this post


Link to post
Share on other sites

excellent info " thought criminal"

I just tried 1800-555-1234 and it was some sweepstakes winner bit. :P

How would I find these ANI, and ANI 2 numbers other than just guessing?"

What is RCMAC?

I noticed that on my BELL 2500, if i press 5 AND 6 together, I get a pretty neat tone.

 

We used to scan entire exchanges by hand. Say one guy will do 800-555-1XXX another will do 2XXX etc and make lists of what each number is. You can probably find old text files of scans to start with. It looks like the numbers I was thinking of are dead now days so that won't help anyway. There is an old post about it where you might find some numbers that work, or an exchange to scan to find more.  

 

http://www.binrev.com/forums/index.php/topic/7281-800-555-1140-dead/

 

Decoder explained RCMAC in a pervious post. 

http://www.binrev.com/forums/index.php/topic/2908-verizon-rcmac/?p=22797

 

It used to be like the Holy Grail of noob phreaks. 

 

It is ANI (annie) and ANI II (Annie Eye Eye) not ANI 2. Also, not everyone calls it "Annie". I've had some debate with other phreaks about this in the past. Strom and I still can't decide who is right on this subject. When I worked for phone companies we called it "Annie" but it seems other phreaks and some telcos just call it A-N-I. This was also part of our debate on "telephony" being "Tel-eff-in-ee" or "Tel-uh-phony". 

0

Share this post


Link to post
Share on other sites

It is ANI (annie) and ANI II (Annie Eye Eye) not ANI 2. Also, not everyone calls it "Annie". I've had some debate with other phreaks about this in the past. Strom and I still can't decide who is right on this subject. When I worked for phone companies we called it "Annie" but it seems other phreaks and some telcos just call it A-N-I. This was also part of our debate on "telephony" being "Tel-eff-in-ee" or "Tel-uh-phony".

 

 

Hah, you beat me to it! Yes, Annie Two sounds like a sequel to an overused movie title. I've never heard The Phone Company talk about II digits, but II digits are referred to in documents as "information integers". Officially, I've heard ANI pronounced as Annie. That being said, though, I think there's a bit of a mystery regarding how transmitted digits can end up being displayed to the distant equipment. For example, an ANI fail via the operator will show up at the distant end as 23 very often, but a more formal ANI fail from an exchange not programmed to send ANI for whatever reason will show up as something other than 02 even if the switch specifically sends that out - I think just 00.

 

None of this actually applies to attempts at an ANI fail from most voice over IP providers to the best of my knowledge. The reason being that if you assign no number to your call, a media gateway will often give you a generic number. Alternatively, if someone tries to assign 000-000-0000 to a call, it's literally 000-000-0000 instead of a fail (which sends nothing, or just area code). Though some ANACs will read a fail back as all zeroes, it'll do this simply because it's programmed to read back ten digits, but there's no digits to read. The reality is it still shows up in logs as 000-000-0000 if that's what you assign the number as. In a nutshell, it sounds as authentic as walking into a Mexican restaurant and ordering a crunchy taco supreme; you're distinguishing your call from other ANI fails, and someone - or something is likely to use that to identify you.

 

 

How would I find these ANI, and ANI 2 numbers other than just guessing?

 

I'd check blocks of numbers owned by IVR companies, such as West Interactive or First Data Voice Services. They're probably going to be the biggest users of them, and have enough resources at their disposal to construct it on a whim. Aside from checking local ranges they own, tollfreeda.com or 800-555-1212 have gotten lucky occasionally, and inadvertently listed test lines. That would be the first place I'd look.

 

In any event, we really do need a new II digit ANAC, though, maybe this should be an organized effort.

 

In the mid 2000s manually op diverting started to get pretty hard, and when you could pull it off they would generally forward your ANI. The way me and my friends got around this took a lot of work.

 

Maybe it's just a thing native to your telco, but I've never run into any trouble op diverting.

Edited by ThoughtPhreaker
0

Share this post


Link to post
Share on other sites

The method that sounds the easiest is the op divert.

I am considering getting a job with my Telco, Verizon's Frontier, and maybe learn some more about the whole network.

I recall only seeing ONE telephone box being opened in my town and seeing the hundreds of red and green terminals.

They are placed in active locations, so no chance of busting in!

I would love to take this old Northern Electric butt and plug into a line!

Edited by Partyline4
0

Share this post


Link to post
Share on other sites
In all my years with an interest in phones I have only successfully op-diverted maybe ten times. As sad as this sounds that's not an exaggeration - but on the bright side two of those happened on a cruise I went on like seven years ago where I got to go though a ship-to-shore system that was pretty cool. I've never had my local operator put me through to a toll free number, even when I say i'm visually impaired (haven't tried any other medical issue), and it's the same things with PIC operators; they all claim they can't connect toll-free calls. I have ATT as my operator, if that helps. 

0

Share this post


Link to post
Share on other sites

That's interesting, have you tried asking the operator what the word is? In ex-Embarq territory, it's not special, it's "visually handicapped" or something just as politically correct sounding. The way I do it is to say something like "Hi, I just moved here from Verizon territory, and when a blind person needs help dialing a number, they tell the operator they're special. Is there a word like that here we can use to get help making a call?"

 

That being said, I do make my way to the ex-GTE part of Frontier territory pretty frequently, and 'special' most certainly is the word they use.

0

Share this post


Link to post
Share on other sites

I just asked the operator and she said I'd have to call the disability office to get a tag put on my line, which I then did. The lady I spoke to was gonna send some forms to my house for me to fill out which I'd imagine require me to provide some documentation proving my 'disability' so I just told her to not bother.   :'(

0

Share this post


Link to post
Share on other sites

It sounds like they're pretty serious about this then. Geez, lighten up, AT&T!

0

Share this post


Link to post
Share on other sites

Something interesting that I noticed:

Many people today use these 2.4ghz digital phone systems with electret mics and such, right?


I, however, use the old style model 500's and noticed that a yelp, at a certain pitch, causes a break in the line. 

This is the in-band signaling still used on the POTS local lines.  A recorded sound file of your phone number played into the microphone will cause the line to actually dial out!

This does not work for these digital phones, at least for my experience.

I just wanted to post this because I figured it out myself. I'm sure many of you have know this for decades. 

So if long distance was switched, why did they leave the local calling with in band? 

0

Share this post


Link to post
Share on other sites

So if long distance was switched, why did they leave the local calling with in band? 

 

I would suspect this is to allow legacy hardware to continue functioning. Plus, there's little harm you can do in sending IBS that was intended to originate from the customer's equipment.

 

Presumably wireless handsets for cordless phones don't send DTMF to the base station, but rather some sort of signalling that gets the base station to generate DTMF. I'm sure it's integrated in modern cordless base stations, but I remember scavenging DTMF generator ICs from old ones!

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0