The Telco Inside NewsLetter
"We're trapped in the switches and
trying to dig our way out!"
Http://research.telco-inside.org
Release Date: 1/4/02
Best viewed at 800x600 res+
via WinVI.exe, Notepad.exe, and write.exe
./vi, ./pico, and ./jstar
+--------------------------------------+
| |
| +---------+ |
| | NPAC- | | [ TIS - TOC ]
| +----:----+ | 000 - Synopsis
| : | 001 - Mentre tu dormivi ....
| +-----+ +---:---+ 0 | 010 - Ericsson WAP vulnerability
| | IXC | | STP |''''0 | 011 - Dial tone guitar tuning
| +--:--+ +---:---+ 0 | 100 - Ueber-numbers to boot!
| : .... : | 101 - Script for the Ameritec AM2-D.
| :...: . . | 110 - Telco-Inside updates
| . ..- | 111 - After-thought & Appendix
| : : |
| +------+ +-:--:--------+ |
| | ANAC |::::| CLEC SWITCH |:::::::::::::::::
| +------+ +-------------+ | ::
| :: | ::
| :: | ::
| :: | ::
| +-----------+ | ::
| | POT BAY | | ::
| | | | ::
| | [ DLC ] | | ::
| +-----+ ......[ 107AF ] | | ::
| | CTS |.: +-----------+ | ::
| +-----+ | ::
| | ::.............................
+--------------------------------------+ ::
::
[ Synopsis ] ::
This is the first and probably the last Telco Inside newsletter ::
I initially decided to create this because alot of the rev0lt ::
contributions were really small. This issue will be going over alot ::
of stuff that doesn't really count as 0day for its been floating ::
around "our scene" for a while now. ph0ne-k1ng will be going over ::
a new toy he'd found in our "while you were sleeping" section, 139 ::
will be going over cell phone "taps", I'll give out a few numbers ::
and an anonymous party will be handing out some telco w4rez. Of course ::
there's the usual other misc stuff that doesn't deserve mention. ::
We wont be going over alot of stuff, seeing that the only reason ::
why we're doing this is so we can make a decent text file. ::
::
You're temporary editor, ::
- cuebiz ::
::
----------------------------------------------------- ::
::
::
[ Mentre tu dormivi .... ] ::
How'd you like an all in one test set? Thats right! Able to test ::
Voice, ISDN PRI, Frame Relay, SS7, GSM and many more. Wouldn't you love ::
to have one of these? Its the Sunset T10, order yours today! ::
::
It weighs about 2-3 pounds with a sleak black plastic casing and, a ::
NiMh battery that gives about 3 hours worth of power. It allows ::
sequential call tests (similar to war-dialing, except it does pass/fail ::
tests to see if the lines working) and doubles as a butt-set; meaning it ::
has a mic and speaker. On the upper-left side of your set, you'll notice ::
that you'll have dual (yes, you heard me!) transmitters & recievers - ::
Which are real time-savers when out in the field. Not to mention that it ::
comes with an added datacom port which enables testing on V.35, RS232, ::
RS449, X.21, and RS530 interfaces. ::
::
With this miracle box, you'll be able to check voice quality on your ::
GSM and PRI circuits. Now, fantasize about this, how'd you like to pop ::
open a remote terminal and be able to test EVERYTHING? These T10's ship ::
with its own PCMCIA card slot which allows field technicians (or phreaks)::
to instantly upgrade/change software when needed. Now, keep in mind that ::
all of this will fit into an average sized back-pack. ::
::
Iam running out of space here, so for more info. check out the site ::
at www.sunrisetelecom.com or write to Sunset Telecom for more info: ::
::
Sunset Telecom Inc. ::
22 Great Oaks Blvd. ::
San Jose, CA 95119 ::
::
POTS number: 408-363-8000 ::
FAX. number: 408-363-8313 ::
::
- Ph0ne-K1ng ::
::
----------------------------------------------------- ::
::
[ Ericsson WAP vulnerability ] ::
Its been public domain for some time now that Ericsson's WAP ::
enabled phones _CAN_ be tapped, to keep this short, here's the 'sploit ::
::
0x01 . Type 904059 ::
0x02 . Choose "Menu" ::
0x03 . Choose "Yes" ::
0x04 . "1" ::
0x05 . "RCL" ::
0x06 . Type "830001" ::
0x07 . Choose "yes" ::
0x08 . Type "86" ::
::
You cannot choose a specific person to tap, but is something to do ::
when you're bored and want something to do. ::
::
^ 139 ^ ::
::
----------------------------------------------------- ::
::
[ Dial tone guitar tuning ] ::
::
By: Cuebiz (BSC) ::
Did *you* know that our US dial tone standard is equivilent (or VERY ::
close) to the F chord? Yes, its true! Its actually a bit sharp, but its ::
unbelievably close. So, hold down the E string (the big string) at the ::
first fret, and match the two tones! Now all you have to do is tune ::
everything else accordingly. Tada! ::
::
----------------------------------------------------- ::
::
[ Script for the Ameritec AM2-D ] ::
::
# ::
# Description: Written for the Ameritec AM2-D. ::
# Able to test 5 milliwatt lines from each ::
# originating channel. Found this sitting ::
# in some dudes box back in '98 - didn't ::
# think much of it until now. Its a nice ::
# script to play around with. ::
# ::
::
DIALTYPE channel dial_type ;Set dial type to DTMF ::
REPEAT 0 ;Main (infinite) loop until user stops unit ::
|SET #a 0 ;Initialize pointer for mw numbers to test ::
|REPEAT Num_mw_nums ;Secondary repeat for each mw number called ::
||SYNC ;Wait for channel synchronization with other call programs ::
||COUNT #a ;mw number to be dialed(control pointer) ::
||BEGIN ;Initialize all lines involved in this call program... ::
|||INIT channel ; in this case, only 1 line ::
||END ::
||DELAY timed_start ;Stagger call start time ::
||EVENT channel 211 ;Set channel as an originating call ::
||CLRSIGS ;Clear all signals which may have existed in the line ::
||OFFHOOK channel ;Go offhook ::
||TIME #z ;Record current time for reference ::
||WAIT channel 102 st_sig_dly st_sig_fail ;Wait for dialtone ::
||TIME #w ;Record current time so we know how long we waited ::
||SUBTRACT #w #z #w ;Store in register #w ::
||IF.FAIL ;No dialtone detected ::
|||REPORT channel ::
||||CODE 1 #z ;Report Originate Attempt ::
||||CODE 5 #a ;Report No Start ::
|||END ::
|||STOP ;Stop if running in Stop On Trouble mode ::
||ELSE ;Else, dialtone was detected ::
|||IF.DELAY ;If dialtone was delayed ::
||||REPORT channel ::
|||||CODE 4 #w ;Report Slow Start ::
||||END ::
|||END ;End of delay block ::
|||SDVALID channel #z ;Record start dial validation time ::
|||SUBTRACT #w #z #w ;Adjust for validation time ::
|||DELAY dial_dly ;Wait for specified period before dialing ::
|||IF.EQUAL #a 1 ;IF-ELSE-END statement to say which no. to dial. ::
||||DIAL channel mw_digits_1 ::
|||ELSE ::
||||IF.EQUAL #a 2 ; " ::
|||||DIAL channel mw_digits_2 ::
||||ELSE ::
|||||IF.EQUAL #a 3 ; " ::
||||||DIAL channel mw_digits_3 ::
|||||ELSE ::
||||||IF.EQUAL #a 4 ; " ::
|||||||DIAL channel mw_digits_4 ::
||||||ELSE ::
|||||||IF.EQUAL #a 5 ; " ::
||||||||DIAL channel mw_digits_5 ::
|||||||END ; " ::
||||||END ::
|||||END ; " ::
||||END ::
|||END ; " ::
|||WAIT channel 110 0.0 60.0 ;Wait for dialing to complete ::
|||IF.FAIL ;If DIAL command failed ::
||||SET #y 1 ;Set system error register for dial time-out ::
||||REPORT channel ::
|||||CODE 1 #z ;Report Originate Attempt ::
|||||CODE 3 #w ;Report Avg. Start Delay ::
|||||CODE 255 #y ;Report System Error ::
||||END ::
||||STOP ;Stop if running in Stop On Trouble mode ::
|||ELSE ;Else, Dial command successful ::
||||SET #c 0 ;Control var. for detection of 1st & 2nd sample of mw tone ::
||||TIME #z ;Record current time for reference ::
||||REPEAT 0 ;Receive tone loop to detect mw tone. ::
|||||RECVTONE channel 980 1020 mw_timeout ;Wait for mw tone ::
|||||WAIT channel 110 0.0 (mw_timeout + 1) ;Wait for RECVTONE to detect ::
|||||TIME #n ;Record current time so we know how long we waited ::
|||||SUBTRACT #n #z #n ;Store in register #n time waited for mw tone ::
|||||IF.FAIL ;If tone detection failed ::
||||||IF.SIG channel 109 ;If failed due to time-out ::
|||||||SET #y 13 ;Set system error register for time-out ::
|||||||REPORT channel ::
||||||||CODE 1 #z ;Report Originate Attempt ::
||||||||CODE 3 #w ;Report Avg. Start Delay ::
||||||||CODE 255 #y ;Report System Error ::
|||||||END ::
||||||ELSE ;Else tone detection failed due to System Error ::
|||||||REPORT channel ::
||||||||CODE 1 #z ;Report Originate Attempt ::
||||||||CODE 3 #w ;Report Avg. Start Delay ::
||||||||CODE 8 #a ;Report Confirming Failure ::
|||||||END ::
||||||END ::
||||||LEAVE 1 ;Exit the secondary loop due to failure to detect mw ton ::
|||||ELSE ;Else tone detection was successful ::
||||||IF.EQUAL #c 1 ;If mw tone has been confirmed twice ::
|||||||REPEAT 0 ;Conversation Loop ::
||||||||TIME #m ;Record current time for reference ::
||||||||SUBTRACT #m #z #m ;Store conversation time in register #m ::
||||||||IF.GEQU #m (conversation * 10) ;If time has been exceeded ::
|||||||||REPORT channel ;Report call completed successfully ::
||||||||||CODE 1 #n ;Report Originate Attempt ::
||||||||||CODE 2 #n ;Report Originate Complete ::
||||||||||CODE 3 #w ;Report Avg. Start Delay ::
||||||||||CODE 7 #n ;Report Avg. PD Delay ::
|||||||||END ::
|||||||||LEAVE 2 ;Leave Receive tone loop and conversation loop ::
||||||||ELSE ;Else conversation time has not been reached ::
|||||||||IF.SIG channel 112 ;If far-end disconnected ::
||||||||||REPORT channel ::
|||||||||||CODE 1 #n ;Report call completed ::
|||||||||||CODE 2 #n ;Report Originate Attempt ::
|||||||||||CODE 3 #w ;Report Avg. Start Delay ::
|||||||||||CODE 7 #n ;Report Avg. PD Delay ::
||||||||||END ::
||||||||||LEAVE 2 ;Leave Receive tone loop and conversation loop ::
|||||||||END ;End far-end disconnect block ::
||||||||END ;End conversation block ::
|||||||LOOP ;End conversation loop ::
||||||ELSE ;Else only 1st sample of tone detected so far ::
|||||||COUNT #c ;Increment counter, 1st tone detected ::
|||||||DELAY 0.1 ;Minimum delay ::
|||||||DELAY tone_tone ;Delay to increase the gap ::
||||||END ;End confirmation of 2nd sample block ::
|||||END ;End of tone detection block ::
||||LOOP ;End of receive tone loop ::
|||END ;End of Dial command block ::
||END ;End of Dialtone block ::
||ONHOOK channel ;Go to ON HOOK condition ::
||DELAY intercall ;Wait for Intercall time before making the next call ::
|LOOP ;End of Secondary loop ::
LOOP ;End of Main (Infinite) loop ::
::
# VARIABLES ;List of variables used in this script (call program) ::
channel ;Line channel ::
dial_type = 2 ;Channel dial type set to DTMF ::
conversation = 0 ;Conversation time (in seconds) ::
Num_mw_nums = 5 ;Number of mw phone numbers to be tested ::
mw_digits_1 = 8189155441 ;Telephone number for mw number 1 ::
mw_digits_2 = 8189155442 ;Telephone number for mw number 2 ::
mw_digits_3 = 8189155443 ;Telephone number for mw number 3 ::
mw_digits_4 = 8189155444 ;Telephone number for mw number 4 ::
mw_digits_5 = 8189155445 ;Telephone number for mw number 5 ::
timed_start = 0 ;Time (in seconds) delay to stagger calls ::
st_sig_dly = 3 ;Time (in seconds) required to report a late dialtone ::
st_sig_fail = 15 ;Maximum time (in seconds) we wait for a dialtone ::
dial_dly = 0 ;Time (in sec) we wait before dialing ::
mw_timeout = 3 ;Maximum time (in seconds) we wait for a mw tone ::
tone_tone = 0 ;Time (in seconds) between the 1 & 2 mw tone ::
intercall = 3 ;Wait time (in seconds) before making the next call ::
::
# END ::
::
----------------------------------------------------- ::
::
[ Ueber-numbers to boot! ] ::
I took a trip down to Anchorage (907) recently to visit 139's parents ::
and decided to visit an old telco contact. He informed me that he's ::
really anxious to see QuickTime's MPEG-4 released and we talked a little ::
about some of the projects he's working on. He commented on how shitty ::
rev0lt zine was. So, after I gave him a black-eye - we decided to talk ::
about some of the old conf. days and during our conversation - he'd ::
accidentally blurted out some WATS numbers that I thought would be ::
interesting to some people in the phone phreak community. Anywho, here ::
they are. Afterward, I've included some names of the assholes working ::
at the AT&T test Center down in Denver - use what you will ;) ::
::
GCI SwitchRoom in Seattle via SAC * 800-770-4732 ::
AT&T 4ESS Trunking Problem Line (Conyers, GA) via SAC * 800-455-1474 ::
AT&T Test Center in Denver via SAC * 800-215-0776 (prompt 2) ::
Sprint (via GCI nonSS7) Milliwatt test * 877-250-0600 ::
AT&T WorldNet 56k modem line via SAC * 888-296-3892 ::
::
Denver Test Center Employees: ::
John Murray, Scott ?, Bill Fritcher, and there's another John, I dont ::
know his last name; because he mumbles so damn much. ::
:: ::
These are all the I could remember off the top of my head. One day, ::
I'll find someone to put me under hypnosis so I can dig out the other ::
25+ numbers but for now, just swallow these and tell me how they taste. ::
:: ::
- Cuebiz ::
:: ::
"So far, as the laws of mathematics refer to reality, they are not ::
certain. And so far as they are certain, they do not refer to reality" ::
- Albert Einstein ::
:: ::
Note to ATNT (0288): I didn't mean to call you guys assholes :( ::
:: ::
----------------------------------------------------- ::
:: ::
[ Telco-Inside updates ] ::
* Welcome back and happy 2002! I stayed up all night, uploading. ::
:: ::
* yourname@telco-inside.com emails are now available! Just when you ::
thought that Telco Inside couldn't get any better, it gets sponsers! ::
:: ::
* RBCP linked TIS (hooray!). It looks like all of those late nights, ::
eating mac & cheese has paid off. Telco Inside is on its way to the ::
top baby! Okay, this link has gone to my head. Hrrmm, what shall we ::
do with our new found stardom? Buy Santa Fe Ranch potato chips instead ::
of regular? Sounds good to me! Anywho, kudos goes out to everyone @ ::
PhoneLosers.org (well, Colleen and Arbie). ::
:: ::
* After over 20 social engineering attempts to "hack" the TIS VoiceMail, ::
I've decided to just shut it down until I can afford ANI. ::
:: ::
+------------------------------------------------------------+ ::
| +----------------+ | ::
| +-------+ [ TAFI ] | LMOS | | ::
| | TADEM |------[ PSAP ] +---------:------+ | ::
| +--:----+ | [ CSA ] ...: | ::
| : o : +------:-------+ | ::
| . 0 :..----| Loop Testing | | ::
| . o : +-:------------+ | ::
|+-:---+ :.......: : | ::
|| STP | ............. : | ::
|+--:--+ . : +-----------+ | ::
| : : : | pred. #1 | | ::
| : [ LTS ] [ CTS ] +------:----+ | ::
| . : : : | ::
| . +---------+ : [ DATU ] : : | ::
| ....: ILEC | .....: : +-----------+ | ::
| | SWITCH |..: : | Draft | | ::
| +:---:---.:............ : | Access | | ::
| : :.. : : : +---.-------+ | ::
| +------+ . : :................:............: | ::
| | ANAC |. +----.---+ : :..... +------------+ | ::
| +------+ | MDF |........ : :..: Direct : | ::
| +--------+ : : : Talk : | ::
| : : : : +----:-------+ | ::
| [ 105A ].:............................. | ::
| : : :............. | ::
| [ CTAS ] :............ : | ::
| : : | ::
+-----------------------------------------:---:--------------+ ::
: ...........................::
(Freedom!)
Newsletter Archive: http://research.telco-inside.org/archive/
Author's PGP Key: http://research.telco-inside.org/pgp-key/
Mission Statement: Http://research.telco-inside.org/mission.txt
= Team BlackSheep CopyLeft <http://www.gnu.org/copyleft/> 2002 =