The Telco Inside NewsLetter "We're trapped in the switches and trying to dig our way out!" Http://research.telco-inside.org Release Date: 1/4/02 Best viewed at 800x600 res+ via WinVI.exe, Notepad.exe, and write.exe ./vi, ./pico, and ./jstar +--------------------------------------+ | | | +---------+ | | | NPAC- | | [ TIS - TOC ] | +----:----+ | 000 - Synopsis | : | 001 - Mentre tu dormivi .... | +-----+ +---:---+ 0 | 010 - Ericsson WAP vulnerability | | IXC | | STP |''''0 | 011 - Dial tone guitar tuning | +--:--+ +---:---+ 0 | 100 - Ueber-numbers to boot! | : .... : | 101 - Script for the Ameritec AM2-D. | :...: . . | 110 - Telco-Inside updates | . ..- | 111 - After-thought & Appendix | : : | | +------+ +-:--:--------+ | | | ANAC |::::| CLEC SWITCH |::::::::::::::::: | +------+ +-------------+ | :: | :: | :: | :: | :: | :: | :: | +-----------+ | :: | | POT BAY | | :: | | | | :: | | [ DLC ] | | :: | +-----+ ......[ 107AF ] | | :: | | CTS |.: +-----------+ | :: | +-----+ | :: | | ::............................. +--------------------------------------+ :: :: [ Synopsis ] :: This is the first and probably the last Telco Inside newsletter :: I initially decided to create this because alot of the rev0lt :: contributions were really small. This issue will be going over alot :: of stuff that doesn't really count as 0day for its been floating :: around "our scene" for a while now. ph0ne-k1ng will be going over :: a new toy he'd found in our "while you were sleeping" section, 139 :: will be going over cell phone "taps", I'll give out a few numbers :: and an anonymous party will be handing out some telco w4rez. Of course :: there's the usual other misc stuff that doesn't deserve mention. :: We wont be going over alot of stuff, seeing that the only reason :: why we're doing this is so we can make a decent text file. :: :: You're temporary editor, :: - cuebiz :: :: ----------------------------------------------------- :: :: :: [ Mentre tu dormivi .... ] :: How'd you like an all in one test set? Thats right! Able to test :: Voice, ISDN PRI, Frame Relay, SS7, GSM and many more. Wouldn't you love :: to have one of these? Its the Sunset T10, order yours today! :: :: It weighs about 2-3 pounds with a sleak black plastic casing and, a :: NiMh battery that gives about 3 hours worth of power. It allows :: sequential call tests (similar to war-dialing, except it does pass/fail :: tests to see if the lines working) and doubles as a butt-set; meaning it :: has a mic and speaker. On the upper-left side of your set, you'll notice :: that you'll have dual (yes, you heard me!) transmitters & recievers - :: Which are real time-savers when out in the field. Not to mention that it :: comes with an added datacom port which enables testing on V.35, RS232, :: RS449, X.21, and RS530 interfaces. :: :: With this miracle box, you'll be able to check voice quality on your :: GSM and PRI circuits. Now, fantasize about this, how'd you like to pop :: open a remote terminal and be able to test EVERYTHING? These T10's ship :: with its own PCMCIA card slot which allows field technicians (or phreaks):: to instantly upgrade/change software when needed. Now, keep in mind that :: all of this will fit into an average sized back-pack. :: :: Iam running out of space here, so for more info. check out the site :: at www.sunrisetelecom.com or write to Sunset Telecom for more info: :: :: Sunset Telecom Inc. :: 22 Great Oaks Blvd. :: San Jose, CA 95119 :: :: POTS number: 408-363-8000 :: FAX. number: 408-363-8313 :: :: - Ph0ne-K1ng :: :: ----------------------------------------------------- :: :: [ Ericsson WAP vulnerability ] :: Its been public domain for some time now that Ericsson's WAP :: enabled phones _CAN_ be tapped, to keep this short, here's the 'sploit :: :: 0x01 . Type 904059 :: 0x02 . Choose "Menu" :: 0x03 . Choose "Yes" :: 0x04 . "1" :: 0x05 . "RCL" :: 0x06 . Type "830001" :: 0x07 . Choose "yes" :: 0x08 . Type "86" :: :: You cannot choose a specific person to tap, but is something to do :: when you're bored and want something to do. :: :: ^ 139 ^ :: :: ----------------------------------------------------- :: :: [ Dial tone guitar tuning ] :: :: By: Cuebiz (BSC) :: Did *you* know that our US dial tone standard is equivilent (or VERY :: close) to the F chord? Yes, its true! Its actually a bit sharp, but its :: unbelievably close. So, hold down the E string (the big string) at the :: first fret, and match the two tones! Now all you have to do is tune :: everything else accordingly. Tada! :: :: ----------------------------------------------------- :: :: [ Script for the Ameritec AM2-D ] :: :: # :: # Description: Written for the Ameritec AM2-D. :: # Able to test 5 milliwatt lines from each :: # originating channel. Found this sitting :: # in some dudes box back in '98 - didn't :: # think much of it until now. Its a nice :: # script to play around with. :: # :: :: DIALTYPE channel dial_type ;Set dial type to DTMF :: REPEAT 0 ;Main (infinite) loop until user stops unit :: |SET #a 0 ;Initialize pointer for mw numbers to test :: |REPEAT Num_mw_nums ;Secondary repeat for each mw number called :: ||SYNC ;Wait for channel synchronization with other call programs :: ||COUNT #a ;mw number to be dialed(control pointer) :: ||BEGIN ;Initialize all lines involved in this call program... :: |||INIT channel ; in this case, only 1 line :: ||END :: ||DELAY timed_start ;Stagger call start time :: ||EVENT channel 211 ;Set channel as an originating call :: ||CLRSIGS ;Clear all signals which may have existed in the line :: ||OFFHOOK channel ;Go offhook :: ||TIME #z ;Record current time for reference :: ||WAIT channel 102 st_sig_dly st_sig_fail ;Wait for dialtone :: ||TIME #w ;Record current time so we know how long we waited :: ||SUBTRACT #w #z #w ;Store in register #w :: ||IF.FAIL ;No dialtone detected :: |||REPORT channel :: ||||CODE 1 #z ;Report Originate Attempt :: ||||CODE 5 #a ;Report No Start :: |||END :: |||STOP ;Stop if running in Stop On Trouble mode :: ||ELSE ;Else, dialtone was detected :: |||IF.DELAY ;If dialtone was delayed :: ||||REPORT channel :: |||||CODE 4 #w ;Report Slow Start :: ||||END :: |||END ;End of delay block :: |||SDVALID channel #z ;Record start dial validation time :: |||SUBTRACT #w #z #w ;Adjust for validation time :: |||DELAY dial_dly ;Wait for specified period before dialing :: |||IF.EQUAL #a 1 ;IF-ELSE-END statement to say which no. to dial. :: ||||DIAL channel mw_digits_1 :: |||ELSE :: ||||IF.EQUAL #a 2 ; " :: |||||DIAL channel mw_digits_2 :: ||||ELSE :: |||||IF.EQUAL #a 3 ; " :: ||||||DIAL channel mw_digits_3 :: |||||ELSE :: ||||||IF.EQUAL #a 4 ; " :: |||||||DIAL channel mw_digits_4 :: ||||||ELSE :: |||||||IF.EQUAL #a 5 ; " :: ||||||||DIAL channel mw_digits_5 :: |||||||END ; " :: ||||||END :: |||||END ; " :: ||||END :: |||END ; " :: |||WAIT channel 110 0.0 60.0 ;Wait for dialing to complete :: |||IF.FAIL ;If DIAL command failed :: ||||SET #y 1 ;Set system error register for dial time-out :: ||||REPORT channel :: |||||CODE 1 #z ;Report Originate Attempt :: |||||CODE 3 #w ;Report Avg. Start Delay :: |||||CODE 255 #y ;Report System Error :: ||||END :: ||||STOP ;Stop if running in Stop On Trouble mode :: |||ELSE ;Else, Dial command successful :: ||||SET #c 0 ;Control var. for detection of 1st & 2nd sample of mw tone :: ||||TIME #z ;Record current time for reference :: ||||REPEAT 0 ;Receive tone loop to detect mw tone. :: |||||RECVTONE channel 980 1020 mw_timeout ;Wait for mw tone :: |||||WAIT channel 110 0.0 (mw_timeout + 1) ;Wait for RECVTONE to detect :: |||||TIME #n ;Record current time so we know how long we waited :: |||||SUBTRACT #n #z #n ;Store in register #n time waited for mw tone :: |||||IF.FAIL ;If tone detection failed :: ||||||IF.SIG channel 109 ;If failed due to time-out :: |||||||SET #y 13 ;Set system error register for time-out :: |||||||REPORT channel :: ||||||||CODE 1 #z ;Report Originate Attempt :: ||||||||CODE 3 #w ;Report Avg. Start Delay :: ||||||||CODE 255 #y ;Report System Error :: |||||||END :: ||||||ELSE ;Else tone detection failed due to System Error :: |||||||REPORT channel :: ||||||||CODE 1 #z ;Report Originate Attempt :: ||||||||CODE 3 #w ;Report Avg. Start Delay :: ||||||||CODE 8 #a ;Report Confirming Failure :: |||||||END :: ||||||END :: ||||||LEAVE 1 ;Exit the secondary loop due to failure to detect mw ton :: |||||ELSE ;Else tone detection was successful :: ||||||IF.EQUAL #c 1 ;If mw tone has been confirmed twice :: |||||||REPEAT 0 ;Conversation Loop :: ||||||||TIME #m ;Record current time for reference :: ||||||||SUBTRACT #m #z #m ;Store conversation time in register #m :: ||||||||IF.GEQU #m (conversation * 10) ;If time has been exceeded :: |||||||||REPORT channel ;Report call completed successfully :: ||||||||||CODE 1 #n ;Report Originate Attempt :: ||||||||||CODE 2 #n ;Report Originate Complete :: ||||||||||CODE 3 #w ;Report Avg. Start Delay :: ||||||||||CODE 7 #n ;Report Avg. PD Delay :: |||||||||END :: |||||||||LEAVE 2 ;Leave Receive tone loop and conversation loop :: ||||||||ELSE ;Else conversation time has not been reached :: |||||||||IF.SIG channel 112 ;If far-end disconnected :: ||||||||||REPORT channel :: |||||||||||CODE 1 #n ;Report call completed :: |||||||||||CODE 2 #n ;Report Originate Attempt :: |||||||||||CODE 3 #w ;Report Avg. Start Delay :: |||||||||||CODE 7 #n ;Report Avg. PD Delay :: ||||||||||END :: ||||||||||LEAVE 2 ;Leave Receive tone loop and conversation loop :: |||||||||END ;End far-end disconnect block :: ||||||||END ;End conversation block :: |||||||LOOP ;End conversation loop :: ||||||ELSE ;Else only 1st sample of tone detected so far :: |||||||COUNT #c ;Increment counter, 1st tone detected :: |||||||DELAY 0.1 ;Minimum delay :: |||||||DELAY tone_tone ;Delay to increase the gap :: ||||||END ;End confirmation of 2nd sample block :: |||||END ;End of tone detection block :: ||||LOOP ;End of receive tone loop :: |||END ;End of Dial command block :: ||END ;End of Dialtone block :: ||ONHOOK channel ;Go to ON HOOK condition :: ||DELAY intercall ;Wait for Intercall time before making the next call :: |LOOP ;End of Secondary loop :: LOOP ;End of Main (Infinite) loop :: :: # VARIABLES ;List of variables used in this script (call program) :: channel ;Line channel :: dial_type = 2 ;Channel dial type set to DTMF :: conversation = 0 ;Conversation time (in seconds) :: Num_mw_nums = 5 ;Number of mw phone numbers to be tested :: mw_digits_1 = 8189155441 ;Telephone number for mw number 1 :: mw_digits_2 = 8189155442 ;Telephone number for mw number 2 :: mw_digits_3 = 8189155443 ;Telephone number for mw number 3 :: mw_digits_4 = 8189155444 ;Telephone number for mw number 4 :: mw_digits_5 = 8189155445 ;Telephone number for mw number 5 :: timed_start = 0 ;Time (in seconds) delay to stagger calls :: st_sig_dly = 3 ;Time (in seconds) required to report a late dialtone :: st_sig_fail = 15 ;Maximum time (in seconds) we wait for a dialtone :: dial_dly = 0 ;Time (in sec) we wait before dialing :: mw_timeout = 3 ;Maximum time (in seconds) we wait for a mw tone :: tone_tone = 0 ;Time (in seconds) between the 1 & 2 mw tone :: intercall = 3 ;Wait time (in seconds) before making the next call :: :: # END :: :: ----------------------------------------------------- :: :: [ Ueber-numbers to boot! ] :: I took a trip down to Anchorage (907) recently to visit 139's parents :: and decided to visit an old telco contact. He informed me that he's :: really anxious to see QuickTime's MPEG-4 released and we talked a little :: about some of the projects he's working on. He commented on how shitty :: rev0lt zine was. So, after I gave him a black-eye - we decided to talk :: about some of the old conf. days and during our conversation - he'd :: accidentally blurted out some WATS numbers that I thought would be :: interesting to some people in the phone phreak community. Anywho, here :: they are. Afterward, I've included some names of the assholes working :: at the AT&T test Center down in Denver - use what you will ;) :: :: GCI SwitchRoom in Seattle via SAC * 800-770-4732 :: AT&T 4ESS Trunking Problem Line (Conyers, GA) via SAC * 800-455-1474 :: AT&T Test Center in Denver via SAC * 800-215-0776 (prompt 2) :: Sprint (via GCI nonSS7) Milliwatt test * 877-250-0600 :: AT&T WorldNet 56k modem line via SAC * 888-296-3892 :: :: Denver Test Center Employees: :: John Murray, Scott ?, Bill Fritcher, and there's another John, I dont :: know his last name; because he mumbles so damn much. :: :: :: These are all the I could remember off the top of my head. One day, :: I'll find someone to put me under hypnosis so I can dig out the other :: 25+ numbers but for now, just swallow these and tell me how they taste. :: :: :: - Cuebiz :: :: :: "So far, as the laws of mathematics refer to reality, they are not :: certain. And so far as they are certain, they do not refer to reality" :: - Albert Einstein :: :: :: Note to ATNT (0288): I didn't mean to call you guys assholes :( :: :: :: ----------------------------------------------------- :: :: :: [ Telco-Inside updates ] :: * Welcome back and happy 2002! I stayed up all night, uploading. :: :: :: * yourname@telco-inside.com emails are now available! Just when you :: thought that Telco Inside couldn't get any better, it gets sponsers! :: :: :: * RBCP linked TIS (hooray!). It looks like all of those late nights, :: eating mac & cheese has paid off. Telco Inside is on its way to the :: top baby! Okay, this link has gone to my head. Hrrmm, what shall we :: do with our new found stardom? Buy Santa Fe Ranch potato chips instead :: of regular? Sounds good to me! Anywho, kudos goes out to everyone @ :: PhoneLosers.org (well, Colleen and Arbie). :: :: :: * After over 20 social engineering attempts to "hack" the TIS VoiceMail, :: I've decided to just shut it down until I can afford ANI. :: :: :: +------------------------------------------------------------+ :: | +----------------+ | :: | +-------+ [ TAFI ] | LMOS | | :: | | TADEM |------[ PSAP ] +---------:------+ | :: | +--:----+ | [ CSA ] ...: | :: | : o : +------:-------+ | :: | . 0 :..----| Loop Testing | | :: | . o : +-:------------+ | :: |+-:---+ :.......: : | :: || STP | ............. : | :: |+--:--+ . : +-----------+ | :: | : : : | pred. #1 | | :: | : [ LTS ] [ CTS ] +------:----+ | :: | . : : : | :: | . +---------+ : [ DATU ] : : | :: | ....: ILEC | .....: : +-----------+ | :: | | SWITCH |..: : | Draft | | :: | +:---:---.:............ : | Access | | :: | : :.. : : : +---.-------+ | :: | +------+ . : :................:............: | :: | | ANAC |. +----.---+ : :..... +------------+ | :: | +------+ | MDF |........ : :..: Direct : | :: | +--------+ : : : Talk : | :: | : : : : +----:-------+ | :: | [ 105A ].:............................. | :: | : : :............. | :: | [ CTAS ] :............ : | :: | : : | :: +-----------------------------------------:---:--------------+ :: : ...........................:: (Freedom!) Newsletter Archive: http://research.telco-inside.org/archive/ Author's PGP Key: http://research.telco-inside.org/pgp-key/ Mission Statement: Http://research.telco-inside.org/mission.txt = Team BlackSheep CopyLeft 2002 =