Mr. Spock

What can I do (phreaking-wise) on a 1AESS Switch?

32 posts in this topic

I'm new on the phreaking scene, so bear with me. Anyways, I was looking through the forum and saw a list of remaining 1AESS switches and noticed that there is one in my city. I dug deeper and found out that it happens to serve my POTS line (what were the odds!). In short I would like to know if there is anything special I can do with the beast.

2

Share this post


Link to post
Share on other sites

Awesome. Grab an inter box and record some audio of your idle (on-hook) line and call progress noise, if it doesn't mute it! 5ESS on-hook noise isn't too exciting (mostly a 120-hertz hum (power supply noise) and occasional crosstalk from the neighborhood cable for me) but since you're still on a mechanical system your line-idle noise is probably much more interesting. Somebody once described 1ESS as "basically a glorified crossbar system".

An "inter box" is a device that connects between your fone line and the microphone input of a tape recorder or your computer sound board. Or the phono/magnetic cartridge preamp input of a stereo receiver (it *has* been done...) You can build one or you can get one for about $30 at Rat $hack and they're worth every penny. ("Multi/Single Phone Recording Control", part #4300421 or, #43-421.) For somebody new to phreaking an interbox can be one of the most important pieces of gear you can have in your setup and is something I wish I had had when I was on independent step and ex-Bell crossbars in the 80s/early 90s, record *everything* you can (44100 Hz 16-bit PCM of course) for further analysis and take notes! Remember to use a lowpass-filter-module-thingy if you have *DSL service on that same line.

Study the "Some Numbers" threads here and call some of them. Call PBXes after business hours and fool around with them. (hint: "#" or "*" at interactive voice response menues gets you into "special" areas of many (not all) PBX systems and if you have a DTMF dialler with the "dark tones" on it, throw A/B/C/D at them.)

Don't do anything destructive or go at it with ill intentions. Remember if you feel like you're getting a bit too deep into something for comfort then you probably are, hang up and try something on a different number somewhere else. Doing *67/1167 before dialing the number usually should block your calling party identification from reaching them on local and (I think) long-distance 1-XXX calls (your call would show up as "PRIVATE" on their caller identification, in other words) but this doesn't always work on 1-800 numbers so use caution if you try to get "behind the scenes" of a PBX on a 1-800 number; if they have a local/long-distance (toll rate) indial use it instead.

Phreak from payphones if you still have real ones run by the phone company (not COCOTs), especially if you try sending "forbidden" tones down the line. 2600 Hz with few exceptions (*cough* Project-MF *cough*) doesn't really get you anywhere on the network any more and redboxing is pretty much dead nowadays but there are others that could still raise eyebrows at the phone company (like MF tones) if sent from home. Never clip onto neighbor's lines in junction boxes, that's probably illegal and just rude. Unless they say you can do so, even then try to avoid the temptation.

Take information in phreak text files scattered around the Internet/Web with many grains of salt, a lot are either very, very out of date or were total BS to start with. Text files like the back issues of Telecom Digest http://telecom.csail.mit.edu/ can be a fairly reliable source of historic information.

Good luck in your explorations and be sure to come back here often.

And remember, you haven't truly "been there" until your hands have been made numb from 90-volt 20 Hz AC ringing voltage going through them while hooking up an extension! (Something you really want to try to avoid.)

http://amazon.com/RadioShack-Recorder-Controller-Single-43-421/dp/B007Z85WTO

0

Share this post


Link to post
Share on other sites

Wow! Thanks for all the info. I have just ordered the box you suggested and I will do my best to post some recordings as soon as I can. Regarding MF tones and the 2600hz; when you say there are a few exceptions do they include 'real' phone switches/systems that are still run by a telco (as I understand it, Project MF is a simulation). Also, in a typical switch today, can MF tones still do anything or have the been completely phased out so that they aren't even recognized as dialing/user input?

Thanks again!

0

Share this post


Link to post
Share on other sites

VERY nice! Sounds like you hit the phone lottery here :) .

 

So the first thing I'd do is try a trick I've heard mentioned a few times; pick up, and dial * or # every ten seconds or so. I doubt it works now, but according to some of the old timey people who played with these switches in their prime, this will hold up the customer dialplulse receiver (I think that's the official 1A term for thing that takes your digits) indefinitely. Since the power at that point isn't balanced, you'll get to hear crosstalk from other people dialing calls.

 

But anyway, from my understanding of AT&T, the 1AESS, like the EWSD, is one of those black sheep switches that not a lot of people know how to run. So you'll occasionally run into them doing old or wrong translations. For example, from AT&T's EWSDs, you can dial a 0xx code straight from the dialtone; no need to dial a carrier access code before it, like on some of the DMS-100s that allow this.

 

So with that in mind, I'd try:

 

10-288-0

950-0000

101-0110-0

214-040-1152 (or 208-045-1810 if your switch complains that it's not a toll call)

<your carrier access code> + 1-208-045-1810

101-0333#

958 or 959 plus any four digits (these are specifically set aside as test exchanges)

 

That's all I can think of at the moment, but I'm sure everyone will be lining up to ask you stuff :) .

 

Also, in a typical switch today, can MF tones still do anything or have the been completely phased out so that they aren't even recognized as dialing/user input?

 

Yes and no; MF is still used in a bunch of situations, but 2600 hertz supervision isn't used under any circumstances that I know besides it's role in C5 signaling. Instead, the least significant bit of the audio stream is robbed to convey supervision when an SS7 channel isn't available.

 

But yeah, so you'll occasionally see it where SS7 or q.931 aren't appropriate to be used; like, for example, the ANAC in central offices usually gets MF digits. A fair number of PBX trunks can use it as well. Also, mostly in rural areas, you'll see some companies not bother with SS7. You'll occasionally come across an oddball CLEC that won't bother with SS7 either. From my understanding, feature group B (950-xxxx) will always use an MF trunk group for some reason.

 

Lastly though, there's usually a backup set of MF trunks in a central office should any of the SS7 hardware fail. From a subscriber standpoint though, MF is reasonably quick and silent, so you might not always be able to hear it. But come to think of it, it's definitely possible that you could get a switch to try using one of these trunk groups if you give it an unusual SS7 cause code. That's something we'll have to look at sometime.

0

Share this post


Link to post
Share on other sites

Regarding MF tones and the 2600hz; when you say there are a few exceptions do they include 'real' phone switches/systems that are still run by a telco (as I understand it, Project MF is a simulation). Also, in a typical switch today, can MF tones still do anything or have the been completely phased out so that they aren't even recognized as dialing/user input?

There are still a few things "out there" like the ANAC thing in Portland that Thoughtphreaker found (http://binrev.com/forums/index.php/topic/47386-cognitronics-mf-digits/) as far as domestic network routings go, that has pretty much all gone to out of band signalling (SS7/CCIS) now though some telcos reportedly do keep MF systems around for emergencies, like SS7 crapouts-- better to have the technology in place and not need it than to need it and not have it. Though you might get lucky and find a really old PBX somewhere that still uses MF (or even SF pulse) for internal routings over tielines and stuff like that. One friend of mine as recently as 2012 worked at a company that actually had a '60s era step PBX and used SF internally, but it was decommissioned and replaced with a packet system just months before they went out of business that fall. I think it's the general consensus that with the cutovers to T-carrier/SS7 in Wawina, MN in 2004 and that one little town in Alaska (can't remember the town name) in ~2011, that blueboxing is basically dead outside of sims like Project-MF and museum exhibits, or hobby PBXes like you'd find through C-net.

Again, if you do decide to play with MF, do it from a payphone or get a VOIP system, but don't do it from your home wireline if you can avoid it. I don't think the chances are very high of getting nailed by the telco nowadays if you do try it from your wireline and I know phreaks who have done it for years with no issues, but you really can't be too paranoid. 2600 really does nothing useful on the greater PSTN these days, so you can sit there blowing 2600 at your line all day and it won't do anything. I think it's more of an historic curiosity today than anything. "Silver box" tones (DTMF A/B/C/D) should be relatively safe to use, I mean most basic computer modems can generate them and there are some older 12-key DTMF fones that can reportedly be made to generate them by messing with their internal wiring. Or you could track down an old surplus AUTOVON phone and have access to them right there.

If you're bored, try calling 660-879-9999 a bunch of times and you'll kind of get a "grand tour" of the nation's AT&T tandem network.

EDIT ADD:

I wasn't aware that FGB still always used MF! Hmmm.....

But anyway, from my understanding of AT&T, the 1AESS, like the EWSD, is one of those black sheep switches that not a lot of people know how to run. So you'll occasionally run into them doing old or wrong translations. For example, from AT&T's EWSDs, you can dial a 0xx code straight from the dialtone; no need to dial a carrier access code before it, like on some of the DMS-100s that allow this.

So with that in mind, I'd try:

10-288-0

950-0000

101-0110-0

214-040-1152 (or 208-045-1810 if your switch complains that it's not a toll call)

<your carrier access code> + 1-208-045-1810

101-0333#

Spock, there was a now somewhat famous article in "2600" magazine a couple years back that went into detail about phreaking EWSDs and access tandems and numbers like these. I'll try and dig it up later and type it up for you. That was how I originally learned about it.

958 or 959 plus any four digits (these are specifically set aside as test exchanges)

Try 1010288 1 206 9591050, for example.

Edited by scratchytcarrier
0

Share this post


Link to post
Share on other sites

10-288-0 your call cannot be completed as dialed. if you are calling a five digit code, it has changed.

950-0000 line busy noise

817-950-0000 cant be completed as dialed

101-0110-0 your call cannot be completed as dialed

214-040-1152 your call cannot be completed as dialed

208-045-1810 your call cannot be completed as dialed. please dial a 1 or a 0 blah blah blah

1-208-0450-1810 your call cannot be completed as dialed

101-0333# your long distance service has been temporarily discontinued. please call customer service for assistance

I dialed only the numbers given (i didnt add anything on) if i did it wrong, I apologize and I'll try again

PS: what are carrier access codes, and how would i find mine

also, dialling # or * does hold up the line, i even dialed ten #'s and it wouldnt treat it as a number. However i was unable to hear crosstalk

Edited by Mr. Spock
1

Share this post


Link to post
Share on other sites
Quote

PS: what are carrier access codes, and how would I find mine

They're numbers you dial before the phone number you're calling, to access alternate long distance services to the one you're subscribed to (or not). See how in the 1-206 number I listed at the end of my post above, I preceded it with "1010288"? That's the CAC for AT&T (spells out "1010ATT"). They used to be in the form of 10xxx but that changed to 101xxxx in the mid 1990s because the market had expanded so substantially by that point that they were running out of numbers in the old format. So for example if you subscribe to Sprint (1010333) as your carrier and you want to make a call over the remnants of MCI, you'd dial the number as 1010321 1 234 567 8901. Every long distance carrier in the US has to have at least one CAC and this was mandated as a term of the breakup of the Bell System in the 1980s, to provide easier access to competitive long distance services. By using a carrier access code, your call goes over that particular long distance network and some are better than others.

 

Incidentally, doing 1010333# is supposed to get you a second dial tone on Sprint. In theory, anyways. (Doesn't work for me, IRMV.) You'd dial that, then at the dial tone enter the number, it would then prompt you to enter your authorisation code. This is supposed to be the same as calling their old 950 number, which I have no idea if it still exists or not.

 

Listen to this Off the Hook episode from 1990, Eric goes over how this works in considerable depth: MP3 file here. The CACs he describes are in the old 10xxx format (the current 101xxxx format didn't exist then) and some of the LD companies he mentions have long gone out of business, but the principle is still the same today.

0

Share this post


Link to post
Share on other sites

Can I ask what 1AESS switch serves you?

Odessa, Abilene, Fort Worth, El Paso, the two 1AESSes in Dallas, or Beaumont?

(Sadly, I'm served by a 5ESS in SW Houston and I got affected by the flooding on Monday)

0

Share this post


Link to post
Share on other sites

Fort Worth

FTWOTXWACG0

0

Share this post


Link to post
Share on other sites

At first, I suspected Mr. Spock might actually have Uverse digital voice. However, since he got the recording on 101-0333#, I'd say he has POTS. I've never been able to dial a CIC on any digital phone service.

Thoughtphreaker, I think you're right about the name for the thing that receives dial pulses/tones. I'm pretty sure they call it that on a 5E as well.

PS: what are carrier access codes, and how would i find mine

You got the explanation of what they are from scratchytcarrier. AFAIK, you can't find out exactly what CIC your line is set up for without calling AT&T, your local phone company, and asking. Some Long Distance companeis have several CIC's and I suppose your line could be set up for any one of them. Knowing what CIC your line uses doesn't really get you anywhere.

You can find out what long distance carrier you subscribe to by looking at your bill or by dialing 1-700-555-4141. You'll get a recording from your Long Distance carrier.

0

Share this post


Link to post
Share on other sites

^ What they all said. Keep in mind, there's some weird CACs too. Like, 101-0110 for example, is used for local traffic on Verizon's EWSDs (both ILEC and ex-MCI CLEC ones) for some reason. Jman probably knows more about it then I do, but my guess is it's some sort of workaround.

 

There's also a few that'll let you get a dialtone from the long distance tandem if you just dial # at the end. Sprint is one of those actually, but you have to be a subscriber.

 

These'll work from any line if there's a long distance tandem that uses the CAC in the area:

 

101-0555 belongs to the Verizon ex-Worldcom DMS-250/CS-2000 network. It wants an authorization number.

101-0432 will work in any area where Qwest has a DMS-250 tandem instead of a Sonus NGS (so it'll work in any area besides native ex-Qwest/Centurylink territory). It too wants an authorization number.

101-0725 belongs to Windstream's McLeodUSA network, and will route you to a DMS-500. It wants an actual destination, but it's just plain perplexing. Known valid destinations are any toll-free number on that network (800-711-3408 is one of them)

101-0288 belongs to AT&T as scratchytcarrier said, and in most areas where there's a 5ESS tandem going in between your phone company's access tandem and the 4ESS toll tandem, you can get a dialtone from it. Whatever you dial, don't put a one before it - they tend not to like that.

101-5483/101-6963 belongs to Verizon's ex-GTE/Bell Atlantic network, some perplexing combination of DMS-250/CS-2000/5ESS/Sonus NGS, and who knows what else. In DMS-250 or CS-2000 areas, you can get a dialtone from it, but it'll want an authorization number.

 

These'll work only if you're a subscriber:

 

101-0333 belongs to Sprint's DMS-250 network

101-0222 belongs to Verizon's ex-MCI DMS-250/DEX400,600 network

 

Since nobody else has mentioned it, now would be a good time to say that you really only want to call numbers that're free in the first place or don't answer via these CACs. Making a billable call on them without a subscription is called casual dialing, and it's basically designed to make you never want to do it again.

 

So anyway though, it sounds like your 1AESS (at least judging by what you've said) is a little 5ESS-like in the way it's dialplan is laid out. Makes sense, I guess. I'm glad Nyphonejacks brought up fourth column DTMF, though. Would you try dialing a few numbers with that and seeing what it does? On the 5ESS, I think it just sends all four to reorder. The DMS-100 will send A, B and C to an error recording (I think CBCAD), and D to a reorder.

As I'm sure you've guessed by now, there's no modern knowledge of 1AESSes, so we're definitely going to have to play this one by ear :) .

1

Share this post


Link to post
Share on other sites

Thanks for the credit, but scratchytcarrier brought up autovon and ABCD tones, I was just piggybacking off of what he said and offering a place to easily get those tones onto an andriod phone... I mostly use that ToneDef app on my phone when installing doorphones, or "breaking into" my customers locations usually when the ATA for the doorphone loses registration... 

0

Share this post


Link to post
Share on other sites

Will try the fourth row. What/when do I dial with the ABCD keys in this case?

PS: the interbox I ordered is supposed to arrive today, I'll see about posting some recordings

0

Share this post


Link to post
Share on other sites

Anytime when you're dialing is fine; I was poking around with this idea last night, and found out that EWSDs map the digit D over to 0 for some reason. It'll definitely be good to hear some recordings :) .

0

Share this post


Link to post
Share on other sites
On the 5ESS, I think it just sends all four to reorder.

Last I tried it on my 5E, sending "A" from a dial tone drops you to Pat Fleet saying her "if you'd like to make a call please hang up and try again" bit followed by the squawker. I gather "A" must be what the machine silently autodials to time-out the dialtone and put that message sequence on the line. The other three go to reorder.

0

Share this post


Link to post
Share on other sites

The first recording is a normal call to a local milliwatt. The second call is also to the milliwatt, however, I dial the first 9 digits, then A B C and D, then dial the final number. This leads me to believe that the switch does not recognize them as numbers.

Milliwatt.wav

ABCD.wav

Edited by Mr. Spock
1

Share this post


Link to post
Share on other sites

Anytime when you're dialing is fine; I was poking around with this idea last night, and found out that EWSDs map the digit D over to 0 for some reason. It'll definitely be good to hear some recordings :) .

I can confirm that :)

 

From the dialtone, A B and C go straight to reorder.

 

Mr. Spock, if you're dialing from a cordless phone, it might be hard for you to hear crosstalk.  I suspect even a junk corded phone will let you hear more than the average 5.8GHz cordless phone.

 

Those recordings sound pretty good, thanks for posting them.  If you're taking requests, I'd like to hear 20 or 30 seconds of silence after you break the dialtone and press * or # in order to keep you from going to a recording.  If possible, do this during business hours, 9AM-5PM, because that's the busiest time for telephone traffic.  You're more likely to hear crosstalk during that time.

 

I can get into the 101-0110 in another thread.  I suspect it works the same as dialing a call direct in the instances where it works for people.  I think that's how it is for me.  But, you never know.

0

Share this post


Link to post
Share on other sites

VERY nice! Just as a suggestion though, you may want to consider recording from something without an AC adapter plugged into it, or put an isolation transformer into your recording circuit; the hum on there is probably caused by that, and judging by how far up the 60 hertz harmonics go, looks pretty hard to remove.

0

Share this post


Link to post
Share on other sites

My recording setup doesn't involve AC adapters, I believe the hum comes from the computer, as I had to set the gain pretty high. As for the phone I'm using, it is wired. The lack if crosstalk may be due to me living in a residential area with above ground lines.

Also I AM taking requests I'll get to them as soon as I can between school finals week

PS: if anyone has a recording of a fully digital switch I would like to compare recordings

Edited by Mr. Spock
0

Share this post


Link to post
Share on other sites

I'll try to get a recording from my switch (HSTNTXSUDS0) since the announcer on the ABCD.mp3 Milliwatt.wav is the same one as mine.

 

I described the wrong file in my original post... how embarassing.

 

"PS: if anyone has a recording of a fully digital switch I would like to compare recordings "

Now that I think about it...are you talking about a digital switch such as a 5ESS or about the recording setup?

Edited by ramsaso
0

Share this post


Link to post
Share on other sites

or put an isolation transformer into your recording circuit; the hum on there is probably caused by that, and judging by how far up the 60 hertz harmonics go, looks pretty hard to remove.

If it's the Rat $hack inter box it's best to keep the box itself away from power cords (or near walls where the power cables are) and computer equipment, they do tend to pick up inductive noise. Also putting the "MULTI SINGLE" switch on "SINGLE" seems to reduce hum, for some reason. Choking the telephone and audio lines on the box can sometimes help but the kind of hum I'm hearing sounds like it's set for MULTI.

It also depends on how well isolated the telephone wiring is in your building (between the junction box and your phone), since telephones usually have filtering in the network or even in the handset speaker that inter boxes do not-- the box has a rather wide characteristic bandwidth and will reveal background noise that otherwise isn't noticeable through a telephone. Thus it's normal to hear some amount of hum when running one barefoot.

Also, when posting audio here you may actually want to encode it first in MP3 (320Kb CBR of course) or FLAC instead of straight PCM. You don't have to, but it does conserve your attachment quota (keeps from eating up your 20MB too quickly).

Nice linefinder action as the dialtone comes on!

0

Share this post


Link to post
Share on other sites

Here is the line going silent awaiting a number (recorded at 4PM). Its about a two minute recording (sampled at 16000hz to stay small). I didn't hear any crosstalk, but if anyone does I'd love to know.

 

PS: @ramsaso I am refering to the switch, not the recording setup

linewaiting.wav

Edited by Mr. Spock
1

Share this post


Link to post
Share on other sites

I couldn't hear any crosstalk in that recording.  In the case of the 1AESS, the crosstalk we're looking for is coming from somewhere in the switching matrix, not your neighborhood cable.  Thus, even though your line is in a residential area, that shouldn't effect your chances of hearing crosstalk.  However, I don't think all 1A machines had this characteristic.  It may even be certain lines on a given 1A have this while others don't.  I'm not sure if it was because of the CDPR or something else.  You might be able to hear crosstalk on your neighborhood cable, but only when the line is idle, and that's something that applies to all analog lines served by digital switches.

 

Another thing I seem to recall is that some 1A machines put multiple people on ringback tones, right?  If you know a number in your 1A that rings for a long time, you could dial it up, preferably during a busy hour, and see if you hear someone come on.  Keep in mind that if this happens on your switch, you may only be able to hear people calling from your switch.  That's because many carriers block audio before the call answers.  As such, since the call has not answered while the line is ringing, you wouldn't be able to hear me calling from another state over AT&T Long Distance because they don't let ME transmit audio until the line answers.  Calling from inside the 1AESS, there is no such restriction AFAIK.  It's certainly possible that intra-LATA calls may pass audio before supervision.  So, somebody calling from a nearby switch is being routed over a local tandem, and I'd say it's not uncommon for local tandems to pass audio before supervision.

 

About hearing some digital switches, I can post some stuff up soon.  You could listen to some recordings here in the meantime: https://web.archive.org/web/20071019235219/http://www.stromcarlson.com/audio/

 

You may also want to look for some test codes on your switch.  Try 958-1114, 958-1122, 959-1114, 959-1122 to get started.  Those might give you the number ringback.  You could also look for the ringback code.  That lets you test the touch tones to see if the frequencies are on or off pitch, and it also lets you ring your phone back.  Some part of the code for ringback is part of your telephone number.  You could try 959-your last 4 digits.  Test codes also tend to appear in the 11X range.  For example, in my area, most switches have ringback on 113-last 4 digits.  The old ANAC list on Wikipedia says 970-1234 is the ANAC for 817.  Although that list is quite old, it's worth a shot.

 

I'd wager that the number readback machine in your office is quite old and may sound interesting.  If you find it, I'd love to hear what it sounds like.  Just make sure you clip out some digits of your number, but try to leave the sounds right before and right afterthe machine comes on and disconnects intact.

0

Share this post


Link to post
Share on other sites

According to Evan Doorbell, 1As installed after the mid-70's had crosstalk during dialing. Earlier ones were dead silent.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now