Sign in to follow this  
Followers 0
kotaKat

Satellite phone phreaking?

12 posts in this topic

I managed to pick up a fairly cheap Iridium and Inmarsat terminals on eBay - and got them activated. Anyone here phreak with satphones?

0

Share this post


Link to post
Share on other sites

What models are the phones?

pre or postpaid?

There isn't much you can do phreaking wise with them, there are short codes for reaching various services.

I'm not sure about inmarsat, but there isn't anything you can do with just a dead iridum phone with no service,

wih the older trimode globalstar phones like the qualcomm 1600 it's tri mode and can default back to cdma service.

thuraya phones only work in the eastern hemisphere.

-1

Share this post


Link to post
Share on other sites

I got to play with an Iridium phone not too long ago. Lotsa fun! US calls all route through Sprint's DMS-250 network. Interestingly, NPA-700-4141 will get you a recording from a tandem in the area you call - like, for example, calling a number in Washington DC will get you 230, the Sprint DC tandem. For at least part of Canada, you'll get trunks via Stentor (I think Rogers owns it now). This being Canada, well, it's also a DMS-250 network. Quite a nice one too, you can hear recordings from lots of switches typically only Canadians get to hear via NPA-310,958,959, etcetera. You might get the impression from some ANACs that the network doesn't transmit ANI. It very much does assign at the very least proper CPN, but since it stuffs the whole twelve digit number including the country code into the field, most things won't want to read it.

 

Oh, and there's literally one rate for every PSTN number except other satellite services. Calling Cuba, Palau, Ukraine or wherever else costs the same as the US. Calls are billed in 20 second increments (which is quite nice, those minutes are expensive!), and only charge if the number supes (this excludes toll-frees, since Sprint will haul you off to the international inbound 800 platform, which forces everything to supe. The tradeoff is this platform genuinely doesn't deliver ANI). This being Sprint though, you won't get to pass audio before supervision.

 

As for the Iridium network itself, someone generously donated an index of Iridium prefixes, and agreed to let me share it here. If you do decide to scan, you'll need it, they hide their stuff really good;

 

8816-214 Commercial Accounts
8816-310 Test/Demo Accounts
8816-314 Commercial Accounts
8816-315 Prepaid Accounts
8816-316 Prepaid Accounts
8816-317 Colombia Ministry of Defense
8816-318 Crew Calling Card
8816-414 Commercial Accounts
8816-415 Prepaid Accounts
8816-629 contains smsc, etc
8816-762 DoD limited voice service
8816-763 DoD voice service
8816-766 DoD international voice service
8816-629-00005 Service center number
8816-311-10006 Tempe gateway test number

8816-000021 Direct Internet
8816-000022 Internet Access
8816-000023 Internet Access

 

I dunno how old this list is, but there's been some adds to it since. I remember 311 and 312 were both valid. And speaking of which, if you want to hear that Tempe gateway recording, it's free via the two stage dialing service; 480-768-2500.

 

Finally, there's data services. If you have a USB (or RS-232, depending on the age) connection to your phone, you can make circuit switched data calls. For PSTN stuff, that means making calls via a Portmaster's bank of dial-up modems. No, really. If you have a modem, you can go say hi to it; 480-768-2510. But you're basically getting something like 2400-3800 baud data plus satellite latency. So if you want to use it for internet, a dial-up shell and lynx might work better then an actual PPP session.

 

As for the codec, well, here's what a call over it sounds like - http://thoughtphreaker.omghax.ca/audio/iridium_fwd.flac. AMBE seems to have been specifically made to support call progress tones, so it'll transmit a few things (US ring, dialtone, busy/reorder, 420 hz ringing) quite clearly, but other tones, like the UK ring tone for example will be convoluted into one of those. Mostly 420 hertz, but sometimes it changes between 420 hertz and US dialtone.

0

Share this post


Link to post
Share on other sites

I've tried the data calls. I can establish to Seattle Community Network and it works - though I get a lot of dropped calls. Same with Direct Internet - got TCP acceleration kicking in in a VM and was able to surf over Iridium.

I didn't know about the 8816 number for the test number -- Iridium strangely tells users to just call the +1 468 number and it'll be airtime free.

My Iridium number is 8816-325 and it's a prepaid account.

 

BTW -- it is an RS232 data connection to the phone (Iridium 9505A) running into a USB-serial adapter.

 

I'm going to dig a bit more deeply into Inmarsat though as I move along -- Inmar airtime is surprisingly cheap (less than $0.90/minute and 2 year expiry versus Irid's upwards of $3/minute for 90 days!). I'm on the 870 77 prefix - 77 for BGAN.

 

And the BGAN was a steal -- $375 for an Explorer 300!  :D

Edited by kotaKat
0

Share this post


Link to post
Share on other sites

Interesting! I never got a chance to play around with Inmarsat, but I've heard they let you do ISDN over their terminals. If they do, can you get an actual, 64k call going on their network?

0

Share this post


Link to post
Share on other sites

Interesting! I never got a chance to play around with Inmarsat, but I've heard they let you do ISDN over their terminals. If they do, can you get an actual, 64k call going on their network?

 

Sadly my Explorer 300 doesn't have ISDN support as it's a low-end BGAN. I have the options of data streaming though (a dedicated 32k or 64k IP channel), but my SIM isn't provisioned to use BGAN Streaming IP - if I ask my provider to switch, I have to lose my remaining precious ~100 voice minutes left.

 

Inmar uses a "units" system: 1 unit per minute of voice, .5 unit per outbound SMS (inbound is free - including email-to-SMS), and 9.1 units per megabyte of data.

0

Share this post


Link to post
Share on other sites

yea free to you, $10 a minute to whoever calls your satellite number.

-1

Share this post


Link to post
Share on other sites

yea free to you, $10 a minute to whoever calls your satellite number.

 

Funnily the cheapest service I've seen for a "local" DID was SatCollect; a company who charges $10/month for the number then $1.35/minute for inbound voice calls. I looked into doing an Asterisk call-back style setup but I can't find any VOIP carriers that will come close to touching SatCollect's termination rates. And if it costs me less to call out than to receive in, it's easier for the caller to just send me a text via <number>@message.inmarsat.com on their cell. They pay for their SMS, then I just take the ~$0.85-ish a minute.

 

As ThoughtPhreaker puts it though, for international calls it's one price per minute no matter the country (except for, of course, BGAN to other satphone calls - interconnect rates between Inmar and Irid are upwards of $10+ a minute outbound!).

 

Anyone got some North Korean numbers to call?

0

Share this post


Link to post
Share on other sites

I can only speak for Iridium since I'm familiar with them, but since they use Sprint for all their outbound traffic, I've heard they have lower rates into the network. Inmarsat might have a similar arrangement with whomever they send their traffic to.

 

Speaking of which, do they have anything like the two stage dialing service? That would simplify everything a lot, and probably keep your call from being transcoded a hundred times.

0

Share this post


Link to post
Share on other sites

there are north korean numbers you can call from outside there, mainly goverment and foreign embasy numbers.

as far as i know you can't call into the mobiles of the general public.

that would be an interesting scan project, i remember seeing a list of prefixs/numbers you can call somewhere online.

-1

Share this post


Link to post
Share on other sites

I can only speak for Iridium since I'm familiar with them, but since they use Sprint for all their outbound traffic, I've heard they have lower rates into the network. Inmarsat might have a similar arrangement with whomever they send their traffic to.

 

Speaking of which, do they have anything like the two stage dialing service? That would simplify everything a lot, and probably keep your call from being transcoded a hundred times.

 

I haven't seen two-stage dialing on Inmar. I'm not sure who Inmarsat routes through if only because they're a UK-based company. I do see that my data connections go through an APN at Stratos Communications here States-side in Florida despite Facebook believing I'm logging in geolocated to India...

 

I did come across this document - http://www.inmarsat.com/support/carrier/- which mentions something curious for the new GlobalXpress platform:  Calls to these numbers should be at no more than US$0.15 per minute retail fee, thus offering a reliable and inexpensive way to contact Inmarsat Global Xpress (GX) customers.

 

Too bad GX will probably be too expensive for me to get near...

0

Share this post


Link to post
Share on other sites

It sounds like that's for carriers that have thousands of minutes worth of traffic. As for outbound, maybe try a few things? NPA-700-4141, 770-988-9664, 402-959-6907, 202-484-0000 (take note of how many sets of three dialtone bursts there are if there aren't too many), 800-223-1104, password 910777, and the usual unassignable prefixes. NPA-958, 959, 311, 950, etcetera. One of these'll be bound to get you something from their long distance carrier :) . Or in the case of those ANACs, something that could help identify them anyway.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0