Hacker News new | past | comments | ask | show | jobs | submit login
The Smart Modem (computer.rip)
110 points by zdw on Jan 29, 2022 | hide | past | favorite | 37 comments



One thing the article doesn't really cover is how Hayes solved the problem of it being extremely hard to avoid +++ appearing in th data stream - Hayes required that there be a pause where no data was sent both before after the +++ before it would transition into command mode, and otherwise would just continue in data mode. Hayes patented this and charged other modem manufacturers to license it - not everyone was willing to pay, so an alternative approach was to change the behaviour to only transition to command mode on +++(valid AT command), which is the reason sending IRC CTCP PING messages containing +++ATH0 was effective at dropping people off IRC (the incoming +++ATH0 did nothing, but the IRC client would then send it back and the modem would drop if it didn't implement the Hayes solution).

Thanks, Hayes. Thayes.


The pause after +++ was really sort of a hack to resolve race condition problems (entering command mode when the modem still had inbound data in buffer) rather than any kind of security measure, but it did have the upside of making it a little more difficult to get a modem to switch to command mode unintentionally. There were various other solutions to this problem but for the most part it didn't completely go away until the practice of moving data over the Hayes interface became uncommon.


What are birds? We just don’t know.


Aka ping of death. Fun. NOT!


s2=255 in the INIT string of modem. Solved! (If I remember correctly).


ctcp ping +++ATFYPM


I still have my Hayes 33.6kbaud Voice SmartModem.

I got it long after the BBS era. This was my first device to access the Internet with, around 1999. It was great. And I could even play StarCraft with a friend by dialing him up!

See, this was important because Internet access cost about $1/hr. And in late 90s Ukraine, that was quite a lot of money. $200/month was a decent salary back then.

Now, my mother's computer was running Windows NT 4.0, and it had a dial-up server feature.

So I set it up, along with a small web server[1], and wrote a CGI binary in Delphi to serve up my file stash (laboriously downloaded from the web) to whoever dialed in... which was me, when I was away from home, or some of my friends.

There was also an FTP server for uploading files, and a VNC server for painstakingly slow remote control if needs be.

All powered by the trustworthy Hayes Smart Modem.

[1] https://smallsrv.com


I've developed a simple, two way SMS gateway which was connected a Debian (3.0) box to a Nokia 7110 via a serial cable. Everything was done via Hayes / AT command set. I still have the PDF containing the details for particular phone.

The system it connected would send an SMS for certain events and take certain actions for received SMS.

Development of this system introduced me to Serial Port programming and serious Linux use in general, and I never left after that day.


Modern solution:

  apt install gammu-smsd


Be careful with doing this in the modern era, cellular carriers have gotten very strict about A2P SMS regulation and if you have more than minimal usage the cellular account might get outbound SMS blocked fairly quickly.


Smstools and smsd might be another option


One thing missing in this article, and in a lot of understanding of the Hayes protocol, is that the escape sequence wasn't just "+++". It was specifically: Pause, +++, Pause. So a series of "+" characters in the transmitted data stream would not make it listen for an AT command. When the modem wasn't online, it was in AT command mode by default anyway. But if in a call, the way to hang up was "Pause +++ Pause ATH0 <CR>" (the zero was implied, "ATH" would work just as well).


Hayes modems required the pause around +++ as a measure to avoid race conditions around data that might be in the inbound or outbound buffers during the switch to command mode. However, there are a number of modems (including in my experience basically all modern modems) that do not enforce the pause requirement and are happy to receive a command immediately following, e.g. +++<CR>ATDT can be sent with no problems on a modern Telit module I'm using. So in practice this was not really an effective mitigation to problems around the +++ switch to command mode and it remained an exploitable security issue for some time in the '90s.


My first proper "hack", at the age of 14, involved exactly this.

The Excelsior! BBS software for Amiga included a pretty cool little scripting layer called the Intuitive Programming Language, or IPL, and all IPL commands began with an escape character of some sort. I don't even remember what that was, but let's use # for the sake of illustration. Normal users couldn't enter the # character and thus couldn't invoke IPL, but the sysop could embed it into pages and do cool stuff. I wanted to do cool stuff.

One of the things IPL could do was change text colors. Of course, most boards would use ANSI escape sequences for the same, but IPL did it in a lot fewer characters, and in a terminal-independent way, which was then translated to ANSI at render time, if the user viewing the page was logged in with an ANSI terminal. (So you could write the same screen and have it work for both ANSI-capable and text-only terminals, for instance. Pretty neat, but I digress.)

Excelsior! was inherently multi-line, and had a great little chat system. Since most BBSs were single-line, this was a big deal and got a lot of use. And naturally, anything that added fancy features to chat was well-received.

Enter the Colorific! extension, which had one purpose: To shove a bunch of IPL color commands _into the user's display name_, so that when you entered chat, you'd have a yellow name, a black name, a rainbow name...

There was another user on the board named Kristine, who hinted ever so gently that Colorific! might have more features than initially met the eye. That was all my curious mind needed, I scoured its menus, played with its functions, and finally it clicked: Through the regular BBS menus, I could edit my display name too! I couldn't enter the IPL escape character, but I could arrow back and forth and edit the rest of the string around it, so if I let the extension give me a rainbow name first, suddenly my name was something like #C14.M#C13.y#C12.s#C11.e#C10.l#C9.f or whatever. I had a bunch of escape characters to play with. Then I could just stuff in whatever IPL commands fit in the display-name field.

One of the other things IPL could do was insert delays.

I mostly saw this used for graphical effect, like making a fireworks display appear at proper timing independent of modem speed. Unique and cool, but I very quickly recognized the Hayes Escape power of the delay command. Giddy seconds later, I changed my username to #D600.+++#D600.ATH0#CR. and entered chat, whereupon the board promptly hung up on me.

Whoops.

Good thing the display name reset itself after a logout.

So I called back, and this time I changed my username to #D600.+++#D600.ATS2=42#CR.ATO#CR. and entered chat. This time nothing appeared to happen, but I knew I had just changed the settings on the modem serving MY line such that it now expected ** as its escape character, not +++. Then back to the earlier string, entered chat again, and as they say, boom went the dynamite! I was alone, and any time anyone else called back and entered chat, all I had to do was say anything at all, and the board would hang up on them.

I will never forget that feeling. It was discovery, it was power, it was secrecy. It was mayhem of the most incredibly harmless kind.

It was time to have some fun...


It got to the point, as a kid with a Hayes, that every time I mentioned a phone number, I prefixed it with ATDT.

Redialing to get into a bbs seems so long ago, but when a site starts melting under load or a merch drop, I realize the waiting game is played the same way, just in a new box.


The funny thing is, the AT / Hayes Command Set still shows up in semi-recent cellular modems. Did some work with an embedded system using FreeRTOS and it had a cellular modem for sending data. I don't recall all the nuances as it was about 6 years ago, but I was surprised to see it show up as I had to write a very dumb http client for it to send some data from a ODBII dongle to a web service collecting the data for a PoC.

I had no control over the hardware design, one of the more annoying / interesting projects I had had in awhile though.


Yep GSM standardized on some of the Hayes AT commands and added many new AT commands. Considering GSM was published in 1990, that means they were working on it in the 1980s when these commands were regularly used. I imagine there's no strong incentive to update these commands and they keep getting migrated to whatever new voice and data protocol cellular systems tend to use when it comes to modem interfaces. I guess no one wants to sell an incompatible modem to OEMs, so these old AT commands will probably always be with us.

I remember seeing this a few years ago in some mifi device or something and thinking "Wait are those old modem commands?" I realized, well, that is a modem being used, so they probably just reused old protocols because why not?

List of commands for those interested:

https://www.electronicsforu.com/resources/gsm-at-commands


Not sure if there is a better reason, but I think things like this just end up sticking around due to ossification. Almost anything (desktop/embedded OS, routers, ..) with a PPP stack will be built to work with modems with AT command sets, so new modems built to handle a PPP stack will still end up implement AT commands. Meanwhile if it's not broke, why fix it? It looks like the ATDT command has worked since 1981.

All of at least Huawei's 3G/4G dongles still support this mode, and would expect it's the same for pretty much any other vendor.


I always thought patenting any aspect of a modem was an anti-pattern. The whole point of modems was to offer standardised end to end communication. To me that includes the control, meta or not. Paying the Hayes tax for +++ summed up everything that was (and remains) wrong in software patents.


If all emergency numbers dial EMRGD, how does it work in places where 999 and 995 are for two different types of emergency?


Yeah I wondered about that too. My country has different numbers for police, ems, and fire brigade


Oh godz, not those shite winmodems. What MBAs came up with that shite idea of soft modems that would only work under Windows ?! I'll keep my trusty USR Courier 56k (originally 28k8, but upgraded a few times to V90) modem until they decommission the old copper phone lines, thank you very much !


These Hayes modems were very specifically not winmodems, they were fully discrete modems. Winmodems typically did not use Hayes commands at all, although drivers often provided support for them running on the host. This makes sense if you think about it - in a winmodem, modulation is performed by the host, so the only thing sent to the modem is commanding and never data.


I've also got a Hayes V92 modem so I fully get what you're saying. But winmodems were /awful/


Maybe you’re being sarcastic, but the point of a soft modem was to save the cost of a DSP chip in the modem and just run the software on the host CPU in the driver. That drivers were not written for OSes other than windows was mostly a function of Window’s 95+% market share.


It's a nice idea but Windows is most definitely not a real time operating system. Timings have to be precise or the modem signal can't be processed correctly. Under load or if the processor is under powered or there's a lack of memory all that goes out the window.


What makes you think you need a RTOS? Windows is perfectly capable of playing and recording 8bit / 8KHz audio.

> Timings have to be precise or the modem signal can't be processed correctly.

Ok, and? Can you not play MP3s on Windows?


Same applies. It can sound shit.


Given that cellular system has a 9-1-1 system that works independent of phone numbers/subscriptions, is there a VoIP box/ATA that has a GSM/lte connection for cellular-based 9-1-1?

In Canada, if you pay for 911 from your VoIP provider, it still sends the call first to a site that verifies your address and once confirmed goes to the PSAP, so the value of paying for it isn’t really there.

https://forums.redflagdeals.com/how-911-fpl-voip-ms-ooma-183...


You could run 911 calls through a cellular gateway using a few different methods depending on your PABX. Historically it was not at all uncommon to run most calls over VoIP but use an ISDN or analog line specifically for emergency calls. But I wouldn't really recommend it, there's a lot of complexity with GSM e911 that is different from the complexity with non-cellular e911. I'm only familiar with the US regulatory regime, not the Canadian one, but VoIP operations are usually required to take very specific measures towards proper handling of 911 calls, particularly since the recent US legislation wrt central notification of 911 calls from multi-tenant facilities. So there are reasons to stay pretty close to the letter of the law.


yeah, US would require an unsubscribed analog line to still be able to call 9-1-1, but no such requirement in Canada. Once you kill your subscription, the line goes open circuit/dead.


I was thinking that Apple dropped the modem from its Powerbook line, but apparently, it wasn't until after the Intel switch that the modems disappeared. I don't think I ever used the modem in my early Macs.


The iBooks definitely had them. Back on dialup, you could hook up your airport base station to the modem and initiate a connection as needed, but it was just as easy to plug the phone jack straight into your laptop.


+++ATH was one of the first abuses of in band signaling I got to enjoy.


It wouldn’t work on a genuine Hayes modem - those would only listen for commands if there was a pause, +++, another pause, and then the AT command. Hayes’ patent was actually on the pause itself (in-band signaling was already well-known), so the off-brand modems wouldn’t implement it, while still implementing the “Hayes-compatible” command set. Those are the ones you could get to hang up if you could trick the program on the other end into echoing the string “+++ATH”.


Only on a misconfigured or not properly Hayes compatible modem. See other comment.


I never owned a Hayes but I used numerous off brand imitations most of which had the same repairable construction.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: