Rambozo the clown

CCITT5 in the late 2010s

19 posts in this topic

Yes and no. There's a lot of C5 trunks that're still out there. They're by no means the only the only way in and out of the country, though.

For example, the island nation of Palau has trunks via Intelsat that use C5 (and g.726 apparently). But they also have another route in and out of the country.

Then there's the Genesys meeting center. See, the company (now part of Intercall, actually. I have no idea how you'd sign up specifically for this platform) runs a conference service in the Asia Pacific region of the world, and strangely enough, there's two access numbers that'll terminate there over C5; 866-284-3437 and 3438. You might have to call them a few times to get a good route; it's sort of the luck of the draw.

I think that one is a pretty clear case of tromboning. See, a RESPORG lookup shows the number goes over Verizon's ex-MCI/0222 network. The actual access number in Singapore, among other countries like Malaysia and Japan, are all available in random places on the internet. I've called all of them - or at least I think all of them from the exact same network, and not had any luck getting that route. A large conferencing company like this one would likely have the resources in place for this sort of operation too. For whatever it's worth, someone once mentioned to me they found a PIN for the conference (which by itself is pretty harmless; they're given out publicly, and can't be used to start a conference without the moderator PIN), and contacted an operator in the US from the service. At no point did it touch a C5 route.

Then there's Argentina. Once again, MCI comes into the picture. Well, sorta. Like with the weird Malaysian thing, this route seems to only come into play in certain scenarios. If you try calling it, for example, over AT&T, you'll hear this; 877-655-0054. One C5 chirp. But over MCI? 877-278-9344. Two C5 chirps! No idea how that's routing exactly, but the really cool bit too is if you get the distant platform to hang up on you, you'll hear the sound of a reorder coming from the international gateway switch on AT&T's route. We think that's an EWSD; one revision of EWSD hardware will have call progress tones that fade sorta in and out like that reorder. There's another that for whatever reason, has completely different sounding call progress tones.

Anyway, there's international access numbers for that Argentinan platform if you want them; http://www.telefonica.com.ar/telefoniafija/hogares/tarjetas/accesos_calling.asp .

If you're wondering why exactly it is these exist in 2016, the answer is actually pretty simple: capacity.

In the T1 standard American/Japanese/Canadian networks use, there's a capability to do what's called bit robbing. Basically, in a mu-Law or a-Law PCM stream, there's 8 bits per sample. If you have no other way of telling the network whether your phone is on or off hook, you can rob the eighth bit of every sample to do that.

In the E1 standard (used everywhere else), you can't do this. Most of the time it doesn't matter, because you can dedicate one of the spare call channels to do something like SS7 (there's also some way to send inband tones over a dedicated signaling channel. I'm not sure exactly how that works for supervision). But in this case, they never did that - probably because they felt it was too important to sacrifice an entire call channel when they didn't need to. So since you can't rob any bits in the PCM stream, they have to use tones like on the analog carrier systems to let the network know whether your phone is on-hook or not.

Anyway, assuming you're still awake after all that, you can try seizing these if you want. You're kinda on your own, though - the stakes for international telecommunications fraud are pretty damn high, and as such, the people who still use C5 or anything like it tend to be pretty good at making sure their equipment is the only thing that can seize it. My guess is once the seize tone is sent from the transmitting end, they won't let the trunk be seized again until the present call has hung up. This happens when the network sends a burst of 2600 back in your direction (it'll ignore it if it's sent from your direction), which at least in this case, will instantly throw you off the trunk. If you really want to get anywhere with this, you'll have to find some way to keep it from doing that when whatever is on the other end hangs up.

 

EDIT: It also might be possible to seize the call before it goes offhook (makes the 2400 hertz cheep), but you'll have to be fast. That may not even be an option on something that answers instantly like this.

Edited by ThoughtPhreaker
1

Share this post


Link to post
Share on other sites

I'm currently trying to figure out how well this still works. PM if you are interested. I have made some progress with CCITT 5 blue box tones.

1

Share this post


Link to post
Share on other sites

Thank youThoughtPhreaker and d3crypt for your replies, they helped me a lot :laughing:

0

Share this post


Link to post
Share on other sites

You're kinda on your own, though - the stakes for international telecommunications fraud are pretty damn high, and as such, the people who still use C5 or anything like it tend to be pretty good at making sure their equipment is the only thing that can seize it.



"Yes! I got Siggy going on THEIR line! (*3-3-3* *ka-chunk*) What a way to reset a trunk."

0

Share this post


Link to post
Share on other sites

Posted (edited)

I figured we should start a list of countries that still use CCITT5 for international calls. It would be cool to get a list of country codes and prefixes.

For testing this stuff I recommend using Blue Beep on DosBox, which is available from Text Files via the Wikipedia article. Use the one with the source code, as its more up to date.

Check out this text file Blue Boxing in the Late 90s for more information on how this stuff works.
The CIA World Factbook has information on the phone systems in use in every country in the world. World Factbook

 

Numbers I have found so far that use it in some form:

 

United States Toll Free International Direct Numbers

866-284-3437 - C5 Trunk to Malaysia (maybe)

888-647-6843 - C5 Trunk to Argentina via Sprint
877-655-0054 - C5 Trunk to Argentina via AT&T
877-278-9344 - C5 Trunk to Argenina via MCI

Edited by d3crypt
added additonal information
1

Share this post


Link to post
Share on other sites

I was pretty active back in 2009/2010 with exploration and scanning, this is to the best of my recollection

 

In the UK there was some widely shared numbers that in the 90s were C5 directs as well as being free to call (0800 numbers), by 2009-2010 time only two remained:  Bahamas on 0800 890 135 (it had some kind of filter on and you wasn't able to seize at any point during the call) and Paraguay on 0800 890 595, outside of the capital city sometimes numbers in Paraguay would travel over C5 routes too.

 

In addition to this pre-earthquake calls to certain parts of Haiti would travel over C5 lines when you called numbers outside of Port-au-Prince, post earthquake in 2011 they for obvious reasons no longer worked. As far as numbers I'd have to dig through my old notes which are put away goodness knows where. Cuba was a place that I was planning on scanning before I became too busy with life and dropped out, I believe they have (had?) a mixture of the latest Chinese stuff in Havana and some of the older Soviet era crossbar stuff.

2

Share this post


Link to post
Share on other sites

0800 890 595 is now a (quite rare) example of the equipment engaged tone.

 

I haven't done much looking for interesting switching/signalling since the early 2000s. It's got more difficult now because most people and businesses in poor countries have jumped straight to GSM (+successors).

 

Back then, it would (as radio_phreak notes) be much more productive to look in the provincial towns and cities of poor countries than in their main cities.

 

My preferred method was to look online for hotels or businesses in those backwater areas, ideally finding their fax numbers, and call those. Much prefer bothering a fax machine than disturbing a person.

 

Now-a-days you need to do this armed with the country's dialling plan (wikipedia usually has these) - and most of the numbers you find will be mobiles.


Re Cuba, I can't reach the supposed second dialtone for the US base via +53 99.

The state telco is marketing the "fija alternativa" service - ie a GSM-based fixed service - suggesting aged and interesting POTS equipment exists.

Calling from here, it's evident that their international gateway is something not outrageously ancient, because it promptly returns an appropriate SS7 code for incorrect prefixes - 

eg +53 41 000000 returns the usual SIT+"the number you have dialled has not been recognised" from my local exchange.

+53 xx 300000 returns a Cuban intercept - in Spanish then English - after about 5 seconds of delay, where XX is any of the 2-digit areacodes listed at https://en.wikipedia.org/wiki/Telephone_numbers_in_Cuba. Sadly no signalling sounds are evident during the delays - I think I've tried all of them.

 

I had a quick look for hotels in Panama and all the phone numbers I found were +507 6xxx xxxxx - ie mobiles.

However, again, I'm hopeful that downstream of the international gateway is something elderly and interesting.

+507 900 0000 sometimes gives an intercept - Spanish only - mentioning C&W Panama, again with a significant post-dial delay.

+507 800 0000 gives my local telco's equipment engaged tone.

+507 811 1111 was answered by a human 

+507 700 0000 is a different Spanish intercept, with a longer post-dial delay.

+507 600 0000 or 500 0000 give my local telco's SIT+number not recognised intercept.

+507 400 0000 is the same intercept-after-delay as 900 0000.

+507 300 0000 is yet another Spanish intercept, with delay.

+507 200 0000 has a very long delay then something times out any my local telco plays SIT+"sorry, there is a fault".

+507 210 0000 has a long delay then the 900 0000 intercept

+507 220 0000 rings, again after a delay, and is answered by some sort of automated service - in Spanish.

No signalling sounds or evident, for me, in any of the above :-(

4

Share this post


Link to post
Share on other sites

Posted (edited)

Quote

866-284-3437 - C5 Trunk to Malaysia (maybe)

 

There's another number to that; 3438. If you're hitting a route that gives you g.729 (sorta ruins that catchy song), it's not a bad idea to try both a few times. Interestingly, the transcoding seems to come on after the C5 chirps; those (and sometimes some Australian sounding ring) are always clear as day.

 

So now when I found this -  I actually think I found it with radio_phreak, but when I did, I was about as excited as you can expect. But something wasn't quite right. If you do a RESPORG lookup on 3438/7, it comes back as using the MCI/0222 network. If you call the number directly terminating to the Malaysian destination (you'll find it with a bit of searching) over MCI though, it's end to end SS7. After trying a bunch of carriers with no success, the theory we wound up with is that they were re-originating via a third party country; likely Australia, to shave a few cents off termination charges.

 

Interestingly, when you hop on a conference on that access number, it'll allow you the option to contact customer service for the company, which is based out of Denver. The route you get is _definitely_ not C5.

 

For whatever it's worth, there was another number until semi-recently; 3439 that routed a little differently. Usually it was more likely to get a transcoded route, or other weird things - one route had 450 hertz ringback before the call went offhook quite a lot . But anyway, for whatever it's worth, during Hurricane Sandy it gave you an error recording from a Santera OCX. If I remember right, the other numbers worked fine though.

 

Quote

 


888-647-6843 - C5 Trunk to Argentina via Sprint
877-655-0054 - C5 Trunk to Argentina via AT&T
877-278-9344 - C5 Trunk to Argenina via MCI
 

 

 

One thing I've noticed is during that song they play for hold music, sometimes it likes to disconnect you in weird ways. The hold music in question passes some notes a few times that definitely sound like 2400 hertz, so I wonder if that has anything to do with it (maybe we should pay attention to the supervision status), or if it's just an apathetic operator hanging up on you. Incidentally, when the call tears down with 2600, you'll hear this curious reorder tone from the international gateway that sorta fades in and out. Based on this, I wonder if it's a type 1 EWSD: https://pastebin.com/q1dvEcVw .
 

So this isn't exactly C5, but a while ago, I found some Axtel DMS logs on Scribd. No, seriously. You can see from there they have quite a few R2 trunks provisioned for end users: 142785363-switch-a.pdf . We were playing with this on the bridge a few months ago - something I sorta want to get into again at some point; a few people seemed pretty excited about it. There's one particular number, +52-818-114-1500 (on the AX2P42 trunk group; labeled STA_CATARINA_CALL_CENTER_PBX_R2. If you look at page 224, you'll see the trunk group type configuration for this and many others; there's a bunch of R2 trunks with generic labels) that will send a backwards 4 in MFC (780 + 1140 hertz)to the switch - indicating a network error when it messes up. Which it occasionally does. Dunno how or if these can be seized, but it seemed worth mentioning.

 

Speaking of which, I don't have the number for this; I had the bright idea of putting it on the speed dial for a calling card and then letting it expire, but Russia has some sort of strange signaling - perhaps another R2 variant floating about in their network. This particular call I remember being to Siberia: weirdmfs.flac . A lot of their switches use whatever this is. It enables them to send vacant number conditions and such over their signaling network. All I do here besides try and hit some DTMF is whistle 2600 twice; once to seize the trunk, and another time to make the switch get all angry. The tones you hear are the standard R1 frequency set, but obviously an R1 trunk never barks MFs back at you.

 

EDIT: Crap, I forgot about the Cuba stuff. From what I understand, Havana if no other place has a reasonably modern network of Alcatel gear. As for the fixed GSM terminals, there's some older documents on Cuban telecom infrastructure lying around. All of them seem to point towards the Cuban fixed network being very over capacity. That could have something to do with that particular addition.

 

As for Paraguay, radio_phreak mentioned to me a while back a particular set of numbers that would route to C5 trunks over some carriers. I believe it was +595-528-222-xxx.

 

Back to the C5 stuff though, does anybody know where we can find a protocol spec document for it? That'll probably help us with some of the oddities we've found on some of these trunk groups.

 

Another EDIT: http://www.itu.int/rec/T-REC-Q.140-Q.180/en

 

Holy shit, another EDIT: http://www.binrev.com/forums/index.php?/topic/47028-portugal/#comment-364799

 

portugal_c5.flac

 

One (hopefully) last thing - for anybody looking for international credit, I've found http://www.call2.com to be pretty good for the most part. Most of their routes look to be resold MCI, the rates are reasonable, and it tends to be decent quality. It is a callback service though, so it can be a little clunky for a large number of calls like in a scan. DMS-10 loops can be a good way to make this a little less painful. I feel kinda gross giving out a plug like that, but given the relative obscurity of the service and the content of the thread, it seems appropriate.

Edited by ThoughtPhreaker
4

Share this post


Link to post
Share on other sites

Strange telephone systems (from a westerner's viewpoint anyways) are pretty usual for Russia. The Soviet-era 300 MHz analog cellular system in eastern Russia and Siberia is still sometimes known to get relayed across the Pacific by the aging FLTSATCOM (maybe also UFO?) birds (essentially just simple downconverter-based FM "repeaters" that will happily relay any audio they hear as long as it falls within the transponders' passbands) along with the Brazilians on 240-270 MHz...

UFO 6 Tp. 20 (255.550 MHz) (Best coast) - very popular with Brazilian pirates. Shared frequency with FLTSATCOM 8 (East coast) so there's more or less nationwide coverage. Put it in your scanner before you head off for a long road trip and monitor away.

1

Share this post


Link to post
Share on other sites

Posted (edited)

Woah! Are there any recordings of this? Or better yet, any way to access this network over the phone? I can't exactly see Russia from my house, but I'm on the very western tip of the US. Just say the word and I'll throw up a phone patch, SDR, and whatever antenna works well for VHF.

Edited by ThoughtPhreaker
0

Share this post


Link to post
Share on other sites
1 minute ago, ThoughtPhreaker said:

Woah! Are there any recordings of this? Or better yet, any way to access this network over the phone? I can't exactly see Russia from my house, but I'm on the very western tip of the US. Just say the word and I'll throw up a phone patch, SDR, and whatever antenna works well for a phone patch.

 

It needs a little bit of setting up antenna wise but other than that the first port of call is uhf-satcom.com then look in the UHF section, he may have some recordings. Years back (actually now that I come to think of it, back in 2009-2010 time) there was some analog C-band phone patches that were still up and relaying traffic from Morocco and Algeria. Essentially for that though you needed a big ol' dish (like 3m iirc) and a C-band LNB after which you tuned in to the IF of the signal and voila! In the clear conversations 70% in Arabic, 29% French and 1% in English if I remember correctly. 

0

Share this post


Link to post
Share on other sites

Is that really 300MHz, or NMT450?

0

Share this post


Link to post
Share on other sites

Somewhere in 300 MHz as I recall.

There are also long-range cordless (home) telephones that operate between 250 and 390 MHz. This thread speaks of them: https://forums.radioreference.com/satcom-space-satellite-monitoring-forum/309366-251-275-conus-phone-conversation.html

Brands are "Senao" and "Alcon". No doubt those also get picked up by the satellites and relayed.

https://www.alibaba.com/showroom/senao-long-range-cordless-phone.html
https://www.alibaba.com/product-detail/SENAO-SN-358-PLUS-Long-range_50007324096.html
http://www.alconphones.com/ALCON/




and whatever antenna works well for a phone patch.





I just monitor with a HT and a BNC telescoping whip. Nothing really special. I'm sure a yagi would work better but a whip is all I have right now.

0

Share this post


Link to post
Share on other sites

866-284-3437 stopped working :(

0

Share this post


Link to post
Share on other sites

Here it is, I knew I had that text file around somewhere. It's not actually cellular at all nor is it AMPS so I guess my memory's becoming corrupted in my old age. It sounds like it should be an odd hybrid of AMPS and IDEN though it no doubt preceded the latter by at least a generation and probably also preceded the former by some length of time. I mean, they *did* get a spacecraft into orbit years before our bureaucracy ever did, after all. I personally have yet to hear any such communications on sat frequencies but I admit I haven't really much attention to that frequency range. (I think just the sheer novelty of hearing the Brazilian pirates ("voices from far-away places" my mother recently described it) on the lower frequencies eclipsed it. Maybe someday I'll get lucky.)

http://www.crypto.com/misc/uhf-sats/

While the PAC constellation may lack Brazilian pirates, it has its own source of unintended signals not found on CONUS or LANT satellites: Russian mobile telephones. Some areas of Russia (and the former Soviet Union generally) are still served by a non-cellular trunked analog mobile telephone system, called Altai, that operates in the 300-344 MHz range. Certain TACSET uplink frequencies are shared with those of Altai base station outputs, whose signals often make their way up to (and are retransmitted by) PAC region transponders whose uplinks are on those frequencies. The Altai system dates from the Soviet era and long predates the UHF TACSAT system, so this unintended traffic has presumably been an issue from the very beginning of TACSAT deployment.

0

Share this post


Link to post
Share on other sites

866-284-3437 stopped working

 

I'd give it a week or so; they still have the weird tromboning arrangement to hit the C5 trunks set up. If it was going to be gone for good, they would've gotten rid of that.

1

Share this post


Link to post
Share on other sites

But I did get some nice T-carrier hum and some 2600 tweeps out of it.

877-655-0054 - C5 Trunk to Argentina via AT&T



I called this one twice this afternoon. First time I got the music that almost talks the call down, few 2600 tweeps and it hung up, second time it rang (Argentinian ring!), couple 2600 tweeps, guy answered and spoke Spanish for a moment, hung up with 2600 and went to gateway reorder.

I think I kind of like this one ;)

6843 and 9433 went to Pat Fleet CBCAD.

you'll hear this curious reorder tone from the international gateway that sorta fades in and out.



I kind of got nostalgic for Stromberg XY days hearing that! I wouldn't be surprised by that if it's an EWSD.

0

Share this post


Link to post
Share on other sites
On 8/22/2017 at 11:08 AM, ThoughtPhreaker said:

 

 

 

I'd give it a week or so; they still have the weird tromboning arrangement to hit the C5 trunks set up. If it was going to be gone for good, they would've gotten rid of that.

 

Looks like you were right; the number is going to a Singtel not in service announcement now. I guess now is our golden opportunity to try and figure out what it's routing over. The carrier tromboning their way over to what's probably Singapore (actually, does Singtel have any end offices in Malaysia? The C5 circuits were always on specifically Malaysian conference numbers. For whatever it's worth, I tried routing to them explicitly over the Singtel direct service and it never gave me any C5 cheeps) will cycle through several routes before eventually giving up.

 

I guess after Intercall and Genesys merged, the old Genesys stuff was considered redundant. It was always really hard to find conference numbers on this thing. I always chalked it up to non-Americans not feeling the impulse to share everything; US conferences are disproportionately easier to find than, say, Canadian or Mexican ones. But shut down plans probably make more sense.

Edited by ThoughtPhreaker
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now