
Identifying North American Phone Switches - doctorshady
http://thoughtphreaker.omghax.ca/switchid.txt
======
mindcrime
I miss my phreaking days (the early to mid 90's). Me and a couple of buddies
would drive out into the middle of nowhere late at night, find a convenience
store with a COCOT, beige box off of it, and use my shitty 486 laptop to dial
into the telephone switch for the local telco (which we found via trashing).
We eventually worked out the password for an account that had the equivalent
of "root" privileges and for a while basically owned the switch. The problem
was, we didn't know how to _do_ anything fun. We tried to do the thing we'd
read about in that one Kevin Mitnick book, where you turn someone's home phone
into a pay phone (that is, configure it so that when they pick up the phone
and dial, they get the "please deposit $4.75 for the next 5 minutes" message)
but never could get the exact right commands down. Well, so far as we know
anyway. If it worked, we never heard about it. I won't say who the target was,
to protect the guilty.

Those were the days... a 20+ foot phone cord stretched across a parking lot,
and we'd sit there nervously looking for cars that might be cop cars, and try
to figure out what we'd tell the cops if they stopped and asked what we were
doing. But it was a rural area in the mid 90's, so we figured most of the cops
were so technology illiterate that they would have no clue about
hacking/phreaking or anything. At any rate, it (surprisingly, in hindsight)
never came up.

There was a BBS we spent a lot of time on back then as well, from the 303 area
code. I don't remember if the board was named Voyager, or if that was the nick
of the guy who ran it. Anybody remember them/him?

Edit: Found it. The board was "Hacker's Haven" and the sysop was Voyager.

------
Aloha
> * 5ESS line cards are pretty distinct sounding. They'll make weird noises
> whenever you go offhook, have a slightly higher noise floor then most line
> cards, and a very strange frequency response. This doesn't necessarily apply
> if you're using a line served out of a channel bank or something, but the
> line cards can give a very different experience on the phone network
> sometimes.

5E analog line cards are (as far as I know) are all concentrated at one level
or another (think 4:1, 10:1, etc) - which means there is an analog cross point
switch to tie your line up to a codec - when your line goes into permanent
signal, you'll be linked up to what appears to be an analog announcement
trunk, as to avoid tying up any of the TDM bandwidth on the switch.

Whereas DMS100's are codec per line, and are not concentrated in the same way.
I think GTD-5's are also similar to the DMS and codec per line.

When you go off hook on a 5E you can her tick-ta-tick-tick-dialtone as it sets
up the link thru the analog switching fabric - this seems to be universal to
all 5E's - the 5E2000 sounds different, and I believe uses different ckt packs
to do the switching, but fundamentally appears to work the same way (I've not
had a chance to sit on a 5E2000 line to get permanent signal to confirm that).

~~~
doctorshady
Interesting! Sounds like you're pretty well versed in this sort of thing. The
5ESS analog line cards seem to roll off frequencies before 3100 hertz like on
most switches (a fair bit too - like, maybe anything above 2950). Do you know
if this is a byproduct of the analog switching stage? I always just assumed
that was a bad design decision on someone's part.

As for the announcement trunks, I think the 13A/15A announcement machines,
like the one on that 202-986 number, tend to break channels out into analog
pairs. Sometimes you get crosstalk between the announcement pairs too - it's
absolutely fantastic. For the longest time, I could've sworn the playback
mechanism itself was analog between all the hiss, crosstalk, and analog source
material you'd hear.

For the hell of it, here's some better examples of that system. That 202
number doesn't do it justice;

512-371-3337 (listen for the weird sweep crosstalk at the end)

425-433-0021

~~~
Aloha
I know of no difference in the performance of the line card once the call is
set up (as in I can't hear any), I do know what the subscriber hears from
whatever announcement trunk generates permanent signal does sound fuzzy as
hell (think ringing/wooshing S's).

If you wanna hear an interesting recording call 425-226-0000 - notice the lack
of supe at the end of the call.

~~~
doctorshady
Haha, nice. They still haven't made the AIS report default to disconnection?
When they first installed it five years ago or so, they never migrated the
database over from the old unit, so pretty much everything said that. Makes me
wonder how easy it'd be to get an operator asking for a number to key into
that trunk.

As for the announcement trunk though, there are some 5Es equipped with other
machines that sound pretty good;

503-632-1064 - ETC Digicept?

248-200-0015 - Lucent 17A (flash based replacement for the 16/-A. Lots of fun
too. 0010 is the remote administration number)

By the way, someone mentioned a while ago that most of the relatively recent
5ESSes encapsulate everything over ATM. The few printouts I've seen from 5Es
seem to show they're capable of speaking it, but haven't sent data over the
interface. Do you know if there's any truth to that?

~~~
Aloha
Yeah, it rings reorder, then busy, then after like full min after the
recording is done it hangs up, it does hang up seem to hang up correctly when
calling from inside that switch.

I don't think so on ATM - I have some documentation for it (training manual,
system architecture processor, SM/CM), and ATM isn't mentioned anywhere in it,
when you consider that the 5ESS architecture was designed in the 1978-1982
timeframe, ATM would make no sense at all, it'd be a backward forklift upgrade
to retrofit it.

Do you have email or something, I'd love to converse further?

~~~
doctorshady
Sure! thoughtphreaker <at> shady <dot> tel

------
throwaway8543
The details about being able to dial 0XX on some switches sounds scary. If I
recall correctly, numbers starting with NPA-0XX and NPA-1XX were reserved for
what essentially became network administrator functionality. These were ways
to reach special telco operators, as well as testing equipment, either locally
or across the long distance network.

Being able to reach this stuff is akin to bring able to talk to your ISP's
internal IP network. Given the continued restriction of this special prefix
(your telephone number still cannot start with a 0 or a 1 after the area code)
and the persistence of legacy systems on the PSTN, I would not be surprised at
all if these codes were still in use.

~~~
doctorshady
There's a lot of access tandem codes that use 0xx numbering. A lot of the
really juicy stuff hides on toll networks though, and requires fairly specific
trunks to reach them.

Overall though, I think most of the really sketchy stuff today hides in
regular numbering ranges.

EDIT: I should qualify all that by saying nobody I know has actually gone
through the trouble of rifling through all 10,000 (1,000? In some, the last
digit seems to be ignored) numbers in an ATC before.

There's definitely stuff on there, but for whatever it's worth, Sprint's
DMS-250 network will redirect the last four digits of an ATC destination to
whatever number it thinks goes to the inward operator for that exchange. It's
been like that for years, so maybe there's just nothing critical in there;
else someone would've complained. Or on the other hand, maybe that's their way
of locking it down.

~~~
peterwwillis
Back in the day all the DATUs and SASS stuff were on regular exchanges, so I
don't see why that would change. People like dec0der were indicted for rifling
through all the carrier's "special" COs with wardialers to find them. And
different providers would have different ranges for admin functions,
maintenance, customer support, etc. It doesn't take long for a bored teenager
with a modem to cycle through most of them (remember, only 540 COs per NPA,
and while each CO had up to 10k subscribers, you could guess which ranges had
something interesting on it)

~~~
doctorshady
Considering his text files, I'd think he went through the exchanges by hand.
Typically faster and more accurate if you're just looking for test numbers.

[http://oldskoolphreak.com/tfiles/phreak/ex_scan.txt](http://oldskoolphreak.com/tfiles/phreak/ex_scan.txt)
[http://oldskoolphreak.com/tfiles/phreak/espt2.txt](http://oldskoolphreak.com/tfiles/phreak/espt2.txt)

~~~
peterwwillis
Oh sure, a lot was done by hand, but if you're looking at an exchange without
knowing anything about the carrier and can't find whatever specific range
they're using for op stuff, a wardialer looking for a 400hz tone will save you
time sitting at a dialpad.

These files are from 5 years after I had started phreaking, which was 10-15
years after it had become popular. The only significant change I noticed was
inbound dtmf tones being blocked, which really eliminated a lot of the fun you
could have without finding your way into an admin line, an unsecured modem, or
using social engineering.

Bellsouth-specific exchange scanning by hand:
[https://web.archive.org/web/20010311195935fw_/http://fl2600....](https://web.archive.org/web/20010311195935fw_/http://fl2600.hypermart.net/780changex.htm)

If you'd like to listen to what idiotic phreakers' podcasts from the early
2000s sounded like, here you go:
[http://audio.textfiles.com/shows/binrev/](http://audio.textfiles.com/shows/binrev/)
[http://audio.textfiles.com/shows/defaultradio/](http://audio.textfiles.com/shows/defaultradio/)
(you'll notice default radio has fewer episodes, because decoder went to
jail....)

There are some funny things though like Episode 84 of BinRev Radio, where
Lucky225 finds out his voicemail number was found in Paris Hilton's phone's
notes [after they were hacked], and social engineering their way through gated
communities, which of course still works. Back when hacking was about fucking
with systems, and not bug bounties and CTFs. (Get off my lawn!!!)

~~~
voltagex_
Although they're silly, I learnt a lot from things like BinRev growing up.

Lucky225 also owns the number of the former Mojave Phone Booth [0] which is
now a party/conference line.

[0]:
[https://en.wikipedia.org/wiki/Mojave_phone_booth](https://en.wikipedia.org/wiki/Mojave_phone_booth)

[0.5]: [http://99percentinvisible.org/episode/mojave-phone-
booth/](http://99percentinvisible.org/episode/mojave-phone-booth/)

[0.9]: +1 760-733-9969

------
stevenhubertron
This book is a great read and gives an amazing overview of the culture:
[https://smile.amazon.com/Exploding-Phone-Untold-Teenagers-
Ou...](https://smile.amazon.com/Exploding-Phone-Untold-Teenagers-Outlaws-
ebook/dp/B009SAV5W0?ie=UTF8&btkr=1&ref_=dp-kindle-redirect#navbar)

The group chats must of been so cool at that time.

~~~
chillingeffect
It was fun. One of the interesting aspects of it (there were many) was the
class of people who could share numbers via DTMF. They had build touch-tone
decoders that could log the last 10-20 digits they heard. It separated the
elite from the amateurs.

------
lowglow
I think I hit the tail end of phreaking, most of the exposure I had was
through text files downloaded from BBS/FTP sites that relayed the knowledge of
building "boxes" with such colorful names as "blue", "brown", "rainbow", and
"piss". The phreaking I knew moved from land lines (of which I only
participated in 'beige-ing' from a neighbor's line, and I won a lineman's
handset [thanks #303/cuervocon] ), to cell phone cloning, bridges, and the
occasional digital switch. Less analog hardware, more software/digital
systems. Nostalgic!

------
coldpie
Having been born in the late 80s, this is before my time. But there seems to
be a lot of fondness in hacker culture for phone phreaking. Frankly it seems
almost out-sized: it even got a cameo in Pirates of Silicon Valley. So, why
was this such a big deal? My perspective on it was just a way to get free
calls from pay phones; is there more to it than that? How important/expensive
were these phone calls that it became such a widely known technique? Is it
just admiration for an early, and neat, hardware hack?

~~~
pimlottc
It's sort of hard to grasp how much more difficult long-distance communication
was back then. Phone calls were relatively expensive and charged by the
minute; you generally wouldn't call someone across the country without good
reason or special occasion, and you'd feel real pressure to try to "keep it
short".

Phone phreaking let you talk to whoever you wanted, as long as you wanted, as
often as you wanted. This was a big deal in the days before instant messaging
and was looked on almost as a type of magic.

~~~
mdip
I remember running a BBS and being surprised at the 20 or so users I had from
Germany. When I caught one of them online I asked how they could afford the
bill and was told he had hacked a PBX and was connected, somehow, through
that. I hadn't heard of that trick back then (and don't know the specifics of
it now).

Long Distance was a horrible thing. In 1997, I was working for a CLEC/long
distance provider that existed as a result of the 1996 "deregulation[0]".
Times were _great_ for about two years.

The price for long distance was never perfect against cost, but when
everything went flat rate/minute and that rate continued to drop (ultimately
becoming flat rate, period), I remember sitting in an employee meeting hosted
by the CEO of Frontier (pre-Global Crossing/Frontier and later
Citizens/Frontier). He had a graph on the screen showing the cost of a minute
of long distance and the price we could charge for it. The lines were
converging and I asked the fateful question "what happens when they cross"? To
which I received a political deflection[1]. The best part was all of the
industry rags were, at the time, screaming that there will _always_ be a long
distance surcharge since there will _always_ be call termination per-minute
rates. I could see it was only a matter of time before those fellas were
proven wrong. Younger folks, today, don't have any concept of domestic long-
distance rates, but AFAIK (and I've been out of telecom for a little while
now) call termination still has a per-minute cost.

[0] In quotes because it wasn't so much a deregulation as it was changed
regulation. The goal was to get local carriers to start competing with one
another and long distance carriers. I believe the local carrier had to have a
CLEC in their service area in order to provide their own long distance
service. The hope was more competition with similar kinds of services. The
result was a bunch of CLECs that figured out the law opened up some
interesting opportunities. I remember a friend of mine setting up an ISP for
the cost of equipment. He'd received his local phone numbers from a CLEC that
would hand out locals that would cover a huge geographical area at practically
no cost. What I didn't understand, then, was because call termination _is_ the
"cost" incurred by the LEC, inbound calls were pure profit. ISP lines were
_all inbound_ so the CLEC made buckets of money in pennies/minute from
Ameritech/AT&T for the hours that his customers spent online.

[1] The days after the 1996 telco bill were interesting. Competition opened up
and a whole new set of operators started up doing things like offering lines
to ISPs (most people were dial-up back then) practically for free since all of
the calls would be inbound and result in a huge paycheck from Ameritech/AT&T
or whomever was the major established local carrier.

~~~
mdip
Apologies - that second bullet point was supposed to be:

[1] The deflection was because his solution was to sell the company to Global
Crossing -- at the time, a dot-com darling publicly traded on NASDAQ that lost
heaping amounts of money. There really was no choice. Frontier was _doomed_
because of the costs of its new SONET network and Global Crossing was offering
_way_ too much money so that passing up the deal would guarantee a shareholder
lawsuit.

------
fapjacks
Lucky225 and Evan Doorbell (two contributors mentioned at the bottom) are
pretty legendary phreaks. Probably they all are awesome people, I just know of
those two. Evan Doorbell has an amazing collection of audio, if you're
interested in this kind of thing.

------
astrutt
Discussion is ongoing @ irc.2600.net #telephreak

Awesome write-up! thanks!!

